Vulnerability-Lookup

RHSA-2026:16542

Vulnerability from csaf_redhat - Published: 2026-05-12 21:26 - Updated: 2026-05-15 21:06

Summary

Red Hat Security Advisory: Kiali 2.22.3 for Red Hat OpenShift Service Mesh 3.3

Severity

Important

Notes

Topic: Kiali 2.22.3 for Red Hat OpenShift Service Mesh 3.3 is now available. An update is now available for Red Hat OpenShift Service Mesh 3.3. This advisory contains the RPM packages for the Kiali component. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Kiali 2.22.3, for Red Hat OpenShift Service Mesh 3.3, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently. Security Fix(es): * CVE-2026-32280 Go: Denial of Service vulnerability in certificate chain building (OSSM-13286) * CVE-2026-40895 follow-redirects: Information disclosure via cross-domain redirects (OSSM-13557, OSSM-13561) * CVE-2026-42033 Axios: HTTP Transport Hijacking via Prototype Pollution (OSSM-13694, OSSM-13698) * CVE-2026-42035 Axios: Arbitrary HTTP header injection via prototype pollution (OSSM-13606, OSSM-13607) * CVE-2026-42043 Axios: NO_PROXY bypass via crafted URL (OSSM-13716, OSSM-13720) * CVE-2026-42039 Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data (OSSM-13730, OSSM-13734) * CVE-2026-42041 Axios: Authentication bypass due to prototype pollution of HTTP error handling (OSSM-13744, OSSM-13748) * CVE-2026-42044 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget (OSSM-13786, OSSM-13787) Bug Fix(es): * OSSM-13773 OSSMC MTLS icon is not working For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-32280

A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x	—	Vendor Fix fix

Known not affected 9 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x		—

Threats

Impact Important

CVE-2026-40895

A flaw was found in follow-redirects. When an HTTP request follows a cross-domain redirect (a redirection to a different domain), custom authentication headers, such as X-API-Key or X-Auth-Token, are not properly stripped. This allows these sensitive headers to be forwarded verbatim to the redirect target, potentially leading to the unintended disclosure of authentication information to an untrusted third party.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x	—	Vendor Fix fix

Known not affected 5 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x		—

Threats

Impact Important

CVE-2026-42033

A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x	—	Vendor Fix fix

Known not affected 5 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x		—

Threats

Impact Important

CVE-2026-42035

A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x	—	Vendor Fix fix Workaround

Known not affected 5 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64	—	Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64	—	Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64	—	Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le	—	Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x	—	Workaround

Threats

Impact Moderate

CVE-2026-42039

A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x	—	Vendor Fix fix

Known not affected 5 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x		—

Threats

Impact Important

CVE-2026-42041

A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x	—	Vendor Fix fix

Known not affected 5 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x		—

Threats

Impact Important

CVE-2026-42043

A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE-918 - Server-Side Request Forgery (SSRF)

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le	—	Vendor Fix fix
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x	—	Vendor Fix fix

Known not affected 5 products

Product	Identifier	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le		—
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x		—

Threats

Impact Important

CVE-2026-42044

A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution "Gadget" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

Affected products

Fixed 8 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x	—	Vendor Fix fix Workaround

Known not affected 5 products

Product	Version	Remediation
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64	—	Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64	—	Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64	—	Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le	—	Workaround
Unresolved product id: Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x	—	Workaround

Threats

Impact Important

References

55 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:16542	self
https://access.redhat.com/security/cve/CVE-2026-32280	external
https://access.redhat.com/security/cve/CVE-2026-40895	external
https://access.redhat.com/security/cve/CVE-2026-42033	external
https://access.redhat.com/security/cve/CVE-2026-42035	external
https://access.redhat.com/security/cve/CVE-2026-42039	external
https://access.redhat.com/security/cve/CVE-2026-42041	external
https://access.redhat.com/security/cve/CVE-2026-42043	external
https://access.redhat.com/security/cve/CVE-2026-42044	external
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/security/updates/classi…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-32280	self
https://bugzilla.redhat.com/show_bug.cgi?id=2456339	external
https://www.cve.org/CVERecord?id=CVE-2026-32280	external
https://nvd.nist.gov/vuln/detail/CVE-2026-32280	external
https://go.dev/cl/758320	external
https://go.dev/issue/78282	external
https://groups.google.com/g/golang-announce/c/0uY…	external
https://pkg.go.dev/vuln/GO-2026-4947	external
https://access.redhat.com/security/cve/CVE-2026-40895	self
https://bugzilla.redhat.com/show_bug.cgi?id=2460297	external
https://www.cve.org/CVERecord?id=CVE-2026-40895	external
https://nvd.nist.gov/vuln/detail/CVE-2026-40895	external
https://github.com/follow-redirects/follow-redire…	external
https://access.redhat.com/security/cve/CVE-2026-42033	self
https://bugzilla.redhat.com/show_bug.cgi?id=2461607	external
https://www.cve.org/CVERecord?id=CVE-2026-42033	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42033	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42035	self
https://bugzilla.redhat.com/show_bug.cgi?id=2461606	external
https://www.cve.org/CVERecord?id=CVE-2026-42035	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42035	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42039	self
https://bugzilla.redhat.com/show_bug.cgi?id=2461630	external
https://www.cve.org/CVERecord?id=CVE-2026-42039	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42039	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42041	self
https://bugzilla.redhat.com/show_bug.cgi?id=2461629	external
https://www.cve.org/CVERecord?id=CVE-2026-42041	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42041	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42043	self
https://bugzilla.redhat.com/show_bug.cgi?id=2461626	external
https://www.cve.org/CVERecord?id=CVE-2026-42043	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42043	external
https://github.com/axios/axios/security/advisorie…	external
https://access.redhat.com/security/cve/CVE-2026-42044	self
https://bugzilla.redhat.com/show_bug.cgi?id=2461624	external
https://www.cve.org/CVERecord?id=CVE-2026-42044	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42044	external
https://github.com/axios/axios/security/advisorie…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Kiali 2.22.3 for Red Hat OpenShift Service Mesh 3.3 is now available.\nAn update is now available for Red Hat OpenShift Service Mesh 3.3. This advisory contains the RPM packages for the Kiali component.\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Kiali 2.22.3, for Red Hat OpenShift Service Mesh 3.3, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.\n\nSecurity Fix(es):\n\n* CVE-2026-32280 Go: Denial of Service vulnerability in certificate chain building (OSSM-13286)\n* CVE-2026-40895 follow-redirects: Information disclosure via cross-domain redirects (OSSM-13557, OSSM-13561)\n* CVE-2026-42033 Axios: HTTP Transport Hijacking via Prototype Pollution (OSSM-13694, OSSM-13698)\n* CVE-2026-42035 Axios: Arbitrary HTTP header injection via prototype pollution (OSSM-13606, OSSM-13607)\n* CVE-2026-42043 Axios: NO_PROXY bypass via crafted URL (OSSM-13716, OSSM-13720)\n* CVE-2026-42039 Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data (OSSM-13730, OSSM-13734)\n* CVE-2026-42041 Axios: Authentication bypass due to prototype pollution of HTTP error handling (OSSM-13744, OSSM-13748)\n* CVE-2026-42044 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget (OSSM-13786, OSSM-13787)\n\nBug Fix(es):\n\n* OSSM-13773 OSSMC MTLS icon is not working\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:16542",
        "url": "https://access.redhat.com/errata/RHSA-2026:16542"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-32280",
        "url": "https://access.redhat.com/security/cve/CVE-2026-32280"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-40895",
        "url": "https://access.redhat.com/security/cve/CVE-2026-40895"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42033",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42033"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42035",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42035"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42039",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42039"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42041",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42041"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42043",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42043"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42044",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42044"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification",
        "url": "https://access.redhat.com/security/updates/classification"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_16542.json"
      }
    ],
    "title": "Red Hat Security Advisory: Kiali 2.22.3 for Red Hat OpenShift Service Mesh 3.3",
    "tracking": {
      "current_release_date": "2026-05-15T21:06:36+00:00",
      "generator": {
        "date": "2026-05-15T21:06:36+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.0"
        }
      },
      "id": "RHSA-2026:16542",
      "initial_release_date": "2026-05-12T21:26:48+00:00",
      "revision_history": [
        {
          "date": "2026-05-12T21:26:48+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-05-12T21:26:53+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-15T21:06:36+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift Service Mesh 3.3",
                "product": {
                  "name": "Red Hat OpenShift Service Mesh 3.3",
                  "product_id": "Red Hat OpenShift Service Mesh 3.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:service_mesh:3.3::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Service Mesh"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel9@sha256%3A78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163986"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-operator-bundle@sha256%3Af2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778193757"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel9-operator@sha256%3A84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163701"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Ae19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff?arch=amd64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163785"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel9@sha256%3A090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163986"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel9-operator@sha256%3Aa1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163701"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Aa8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45?arch=arm64\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163785"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel9@sha256%3Aaba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163986"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel9-operator@sha256%3Aa85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163701"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3A4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163785"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel9@sha256%3Ad39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163986"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-rhel9-operator@sha256%3Adddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163701"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
                "product": {
                  "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
                  "product_id": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kiali-ossmc-rhel9@sha256%3Aa2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7?arch=s390x\u0026repository_url=registry.redhat.io/openshift-service-mesh\u0026tag=1778163785"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64 as a component of Red Hat OpenShift Service Mesh 3.3",
          "product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le as a component of Red Hat OpenShift Service Mesh 3.3",
          "product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x as a component of Red Hat OpenShift Service Mesh 3.3",
          "product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64 as a component of Red Hat OpenShift Service Mesh 3.3",
          "product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64 as a component of Red Hat OpenShift Service Mesh 3.3",
          "product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64 as a component of Red Hat OpenShift Service Mesh 3.3",
          "product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64 as a component of Red Hat OpenShift Service Mesh 3.3",
          "product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le as a component of Red Hat OpenShift Service Mesh 3.3",
          "product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x as a component of Red Hat OpenShift Service Mesh 3.3",
          "product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64 as a component of Red Hat OpenShift Service Mesh 3.3",
          "product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64 as a component of Red Hat OpenShift Service Mesh 3.3",
          "product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le as a component of Red Hat OpenShift Service Mesh 3.3",
          "product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x as a component of Red Hat OpenShift Service Mesh 3.3",
          "product_id": "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
        },
        "product_reference": "registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x",
        "relates_to_product_reference": "Red Hat OpenShift Service Mesh 3.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-32280",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-04-08T02:01:19.572351+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2456339"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being performed. This can result in a denial of service (DoS) condition, making the affected system or application unavailable to legitimate users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
        ],
        "known_not_affected": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-32280"
        },
        {
          "category": "external",
          "summary": "RHBZ#2456339",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-32280",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/758320",
          "url": "https://go.dev/cl/758320"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/78282",
          "url": "https://go.dev/issue/78282"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU",
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4947",
          "url": "https://pkg.go.dev/vuln/GO-2026-4947"
        }
      ],
      "release_date": "2026-04-08T01:06:58.595000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-12T21:26:48+00:00",
          "details": "See Kiali 2.22.3 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.3/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:16542"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building"
    },
    {
      "cve": "CVE-2026-40895",
      "cwe": {
        "id": "CWE-212",
        "name": "Improper Removal of Sensitive Information Before Storage or Transfer"
      },
      "discovery_date": "2026-04-21T21:02:33.280553+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2460297"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in follow-redirects. When an HTTP request follows a cross-domain redirect (a redirection to a different domain), custom authentication headers, such as X-API-Key or X-Auth-Token, are not properly stripped. This allows these sensitive headers to be forwarded verbatim to the redirect target, potentially leading to the unintended disclosure of authentication information to an untrusted third party.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "follow-redirects: follow-redirects: Information disclosure via cross-domain redirects",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
        ],
        "known_not_affected": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-40895"
        },
        {
          "category": "external",
          "summary": "RHBZ#2460297",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460297"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-40895",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-40895"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40895",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40895"
        },
        {
          "category": "external",
          "summary": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653",
          "url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653"
        }
      ],
      "release_date": "2026-04-21T19:59:59.759000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-12T21:26:48+00:00",
          "details": "See Kiali 2.22.3 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.3/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:16542"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "follow-redirects: follow-redirects: Information disclosure via cross-domain redirects"
    },
    {
      "cve": "CVE-2026-42033",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-04-24T18:01:20.937507+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461607"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
        ],
        "known_not_affected": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42033"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461607",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461607"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42033",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42033"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"
        }
      ],
      "release_date": "2026-04-24T17:36:44.132000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-12T21:26:48+00:00",
          "details": "See Kiali 2.22.3 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.3/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:16542"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution"
    },
    {
      "cve": "CVE-2026-42035",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-04-24T18:01:17.109481+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461606"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application\u0027s core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Arbitrary HTTP header injection via prototype pollution",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
        ],
        "known_not_affected": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42035"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461606",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461606"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42035",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42035"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"
        }
      ],
      "release_date": "2026-04-24T17:38:07.752000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-12T21:26:48+00:00",
          "details": "See Kiali 2.22.3 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.3/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:16542"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "axios: Axios: Arbitrary HTTP header injection via prototype pollution"
    },
    {
      "cve": "CVE-2026-42039",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-04-24T19:01:44.887156+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461630"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
        ],
        "known_not_affected": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42039"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461630",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461630"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42039",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42039"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"
        }
      ],
      "release_date": "2026-04-24T18:01:30.775000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-12T21:26:48+00:00",
          "details": "See Kiali 2.22.3 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.3/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:16542"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data"
    },
    {
      "cve": "CVE-2026-42041",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-04-24T19:01:41.034289+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461629"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
        ],
        "known_not_affected": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42041"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461629",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461629"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42041",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42041"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63"
        }
      ],
      "release_date": "2026-04-24T17:55:30.036000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-12T21:26:48+00:00",
          "details": "See Kiali 2.22.3 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.3/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:16542"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling"
    },
    {
      "cve": "CVE-2026-42043",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "discovery_date": "2026-04-24T19:01:22.552379+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461626"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: NO_PROXY bypass via crafted URL",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
        ],
        "known_not_affected": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42043"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461626",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461626"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42043",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42043"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7"
        }
      ],
      "release_date": "2026-04-24T17:54:42.668000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-12T21:26:48+00:00",
          "details": "See Kiali 2.22.3 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.3/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:16542"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: NO_PROXY bypass via crafted URL"
    },
    {
      "cve": "CVE-2026-42044",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-04-24T19:01:13.418725+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461624"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution \"Gadget\" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
        ],
        "known_not_affected": [
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
          "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42044"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461624",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461624"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42044",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42044"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"
        }
      ],
      "release_date": "2026-04-24T17:49:49.517000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-12T21:26:48+00:00",
          "details": "See Kiali 2.22.3 documentation at https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/3.3/html/observability/kiali-operator-provided-by-red-hat",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:16542"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-operator-bundle@sha256:f2a866a31810c6bc52d68ab3d5d3f8dd44ccf998a6453f658835927eedd33297_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:4fcc3d48a763c1cc51b2cd253a4862c7bf99cd614163ef2f80d5a2f8968066a1_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a2653de5f3faf7d7841393935e7ac5854dcb142c6dcf4342bd3780ca0a2c49a7_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:a8aa325e131bbf968e1d1d73703a127c442748633b0cf3122dc4589ee166bb45_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-ossmc-rhel9@sha256:e19802cc2f5e1bbbd60343303fbd0c0ac2f35e45da3911f2e0b379e5eed437ff_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:84019963d8034b33331e015389e8c76b4c58ffe83fb6613b548af3218b4b7ffc_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a1e557b983f7579cb3a402bfae03e9015c176240842ac51d67a83f301b77b4fd_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:a85ccd92fc8328805bce9266f3b7356406bff3583d20c9f0307e2f32d8134efc_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9-operator@sha256:dddf652e126cf6c782f64b4999dd560c93e4877f89e7c5b20cbedd75ff468f26_s390x",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:090606c29b60475f35670aaa1147e584eb8533c0506ec81a96fae7fcbe3187c1_arm64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:78f6df0632a9a6bf00ee1b60447d24ba2e5d7c2114e410380b7344201bc4fc5b_amd64",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:aba022fa90760e6af6aeb71ef239682e874a53128744ca6f1a44781d3b82a56f_ppc64le",
            "Red Hat OpenShift Service Mesh 3.3:registry.redhat.io/openshift-service-mesh/kiali-rhel9@sha256:d39dd709dbe62218720d56bda7c8c2441f9dc3b2acfae27307b50b86c16a866e_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget"
    }
  ]
}

CVE-2026-42035 (GCVE-0-2026-42035)

Vulnerability from cvelistv5 – Published: 2026-04-24 17:38 – Updated: 2026-04-25 03:55

Title

Axios: Header Injection via Prototype Pollution

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.

Severity ?

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.1 Affected: < 0.31.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42035",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-25T03:55:59.169Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.1"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself \u2014 any prototype pollution primitive in any dependency in the application\u0027s dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-113",
              "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T17:38:07.752Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"
        }
      ],
      "source": {
        "advisory": "GHSA-6chq-wfr3-2hj9",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: Header Injection via Prototype Pollution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42035",
    "datePublished": "2026-04-24T17:38:07.752Z",
    "dateReserved": "2026-04-23T16:05:01.708Z",
    "dateUpdated": "2026-04-25T03:55:59.169Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42043 (GCVE-0-2026-42043)

Vulnerability from cvelistv5 – Published: 2026-04-24 17:54 – Updated: 2026-04-27 13:47

Title

Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.

Severity ?

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE

CWE-183 - Permissive List of Allowed Inputs
CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.1 Affected: < 0.31.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42043",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-27T13:47:20.443878Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-27T13:47:24.724Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.1"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-183",
              "description": "CWE-183: Permissive List of Allowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T17:54:42.668Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7"
        }
      ],
      "source": {
        "advisory": "GHSA-pmwg-cvhr-8vh7",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: Incomplete Fix for CVE-2025-62718 \u2014 NO_PROXY  Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8)  in Axios 1.15.0"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42043",
    "datePublished": "2026-04-24T17:54:42.668Z",
    "dateReserved": "2026-04-23T16:05:01.709Z",
    "dateUpdated": "2026-04-27T13:47:24.724Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42041 (GCVE-0-2026-42041)

Vulnerability from cvelistv5 – Published: 2026-04-24 17:55 – Updated: 2026-04-24 18:32

Title

Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript's in operator — an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () => true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-287 - Improper Authentication
CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.1 Affected: < 0.31.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42041",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T18:29:47.107016Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-24T18:32:58.115Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.1"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution \"Gadget\" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript\u0027s in operator \u2014 an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () =\u003e true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T17:55:30.036Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63"
        }
      ],
      "source": {
        "advisory": "GHSA-w9j2-pvgh-6h63",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42041",
    "datePublished": "2026-04-24T17:55:30.036Z",
    "dateReserved": "2026-04-23T16:05:01.709Z",
    "dateUpdated": "2026-04-24T18:32:58.115Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42044 (GCVE-0-2026-42044)

Vulnerability from cvelistv5 – Published: 2026-04-24 17:49 – Updated: 2026-04-24 18:12

Title

Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Summary

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42044",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T18:11:49.647774Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-24T18:12:13.920Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution \"Gadget\" attack that allows any Object.prototype pollution in the application\u0027s dependency tree to be escalated into surgical, invisible modification of all JSON API responses \u2014 including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T17:50:26.586Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"
        }
      ],
      "source": {
        "advisory": "GHSA-3w6x-2g7m-8v23",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42044",
    "datePublished": "2026-04-24T17:49:49.517Z",
    "dateReserved": "2026-04-23T16:05:01.709Z",
    "dateUpdated": "2026-04-24T18:12:13.920Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42039 (GCVE-0-2026-42039)

Vulnerability from cvelistv5 – Published: 2026-04-24 18:01 – Updated: 2026-04-24 18:14

Title

Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-674 - Uncontrolled Recursion

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.1 Affected: < 0.31.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42039",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T18:14:11.509943Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-24T18:14:37.802Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.1"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T18:01:30.775Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"
        }
      ],
      "source": {
        "advisory": "GHSA-62hf-57xw-28j9",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42039",
    "datePublished": "2026-04-24T18:01:30.775Z",
    "dateReserved": "2026-04-23T16:05:01.709Z",
    "dateUpdated": "2026-04-24T18:14:37.802Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32280 (GCVE-0-2026-32280)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-08 17:46

Title

Unexpected work during chain building in crypto/x509

Summary

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

References

4 references

URL	Tags
https://go.dev/cl/758320
https://go.dev/issue/78282
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4947

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32280",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T17:46:14.569488Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T17:46:47.347Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "Certificate.buildChains"
            },
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:58.595Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/758320"
        },
        {
          "url": "https://go.dev/issue/78282"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4947"
        }
      ],
      "title": "Unexpected work during chain building in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32280",
    "datePublished": "2026-04-08T01:06:58.595Z",
    "dateReserved": "2026-03-11T16:38:46.555Z",
    "dateUpdated": "2026-04-08T17:46:47.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40895 (GCVE-0-2026-40895)

Vulnerability from cvelistv5 – Published: 2026-04-21 19:59 – Updated: 2026-04-22 13:31

Title

follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets

Summary

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/follow-redirects/follow-redire…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
follow-redirects	follow-redirects	Affected: < 1.16.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40895",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-22T13:31:13.035788Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-22T13:31:34.652Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "follow-redirects",
          "vendor": "follow-redirects",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.16.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "follow-redirects is an open source, drop-in replacement for Node\u0027s `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T19:59:59.759Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653"
        }
      ],
      "source": {
        "advisory": "GHSA-r4q5-vmmm-2653",
        "discovery": "UNKNOWN"
      },
      "title": "follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40895",
    "datePublished": "2026-04-21T19:59:59.759Z",
    "dateReserved": "2026-04-15T16:37:22.766Z",
    "dateUpdated": "2026-04-22T13:31:34.652Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42033 (GCVE-0-2026-42033)

Vulnerability from cvelistv5 – Published: 2026-04-24 17:36 – Updated: 2026-04-25 03:55

Title

Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1.

Severity ?

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.1 Affected: < 0.31.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42033",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-25T03:55:57.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.1"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T17:36:44.132Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"
        }
      ],
      "source": {
        "advisory": "GHSA-pf86-5x62-jrwf",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42033",
    "datePublished": "2026-04-24T17:36:44.132Z",
    "dateReserved": "2026-04-23T16:05:01.708Z",
    "dateUpdated": "2026-04-25T03:55:57.725Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:16542

CVE-2026-42035 (GCVE-0-2026-42035)

CVE-2026-42043 (GCVE-0-2026-42043)

CVE-2026-42041 (GCVE-0-2026-42041)

CVE-2026-42044 (GCVE-0-2026-42044)

CVE-2026-42039 (GCVE-0-2026-42039)

CVE-2026-32280 (GCVE-0-2026-32280)

CVE-2026-40895 (GCVE-0-2026-40895)

CVE-2026-42033 (GCVE-0-2026-42033)

Tags

Sightings

Nomenclature