RHSA-2026:33574

Vulnerability from csaf_redhat - Published: 2026-06-30 15:00 - Updated: 2026-06-30 18:11
Summary
Red Hat Security Advisory: Red Hat Developer Hub 1.9.6 release.
Severity
Important
Notes
Topic: Red Hat Developer Hub 1.9.6 has been released.
Details: Red Hat Developer Hub (RHDH) is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2026-9277

A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.

8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Threats
Impact Important
CVE-2026-9673

A flaw was found in json-2-csv. An attacker can bypass the `preventCsvInjection` option to inject malicious formulas into CSV (Comma Separated Values) files. When these manipulated CSV files are opened in spreadsheet applications, the injected formulas can execute, potentially leading to arbitrary code execution or information disclosure.

6.1 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Moderate
CVE-2026-27145

A flaw was found in the `crypto/x509` package of `golang`. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by presenting a specially crafted X.509 certificate with a large number of DNS Subject Alternative Name (SAN) entries. The certificate verification process, specifically the `VerifyHostname` function, incurs excessive computational overhead due to repeated string operations when processing these entries. This can lead to a significant performance degradation or unresponsiveness of systems validating such certificates.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-606 - Unchecked Input for Loop Condition
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Threats
Impact Important
CVE-2026-33811

A flaw was found in the `net` package of Go (golang), specifically when using the `LookupCNAME` function with the `cgo` DNS resolver. A remote attacker could exploit this by providing a very long Canonical Name (CNAME) response. This can trigger a double-free of C memory, leading to a crash and a Denial of Service (DoS) for the affected application.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1341 - Multiple Releases of Same Resource or Handle
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Threats
Impact Important
CVE-2026-39820

A flaw was found in the `net/mail` package of the Go programming language. An attacker could provide specially crafted inputs to the `ParseAddress`, `ParseAddressList`, or `ParseDate` functions. This could lead to excessive consumption of CPU and memory resources, resulting in a Denial of Service (DoS) for applications processing these inputs.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-606 - Unchecked Input for Loop Condition
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Threats
Impact Important
CVE-2026-42033

A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.

7.4 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Threats
Impact Important
CVE-2026-42035

A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.

7.4 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Moderate
CVE-2026-42039

A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-770 - Allocation of Resources Without Limits or Throttling
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Threats
Impact Important
CVE-2026-42041

A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.

8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Threats
Impact Important
CVE-2026-42043

A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.

7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE-918 - Server-Side Request Forgery (SSRF)
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Threats
Impact Important
CVE-2026-42044

A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution "Gadget" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.

7.4 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Important
CVE-2026-42338

A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user's browser.

8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Important
CVE-2026-42499

A flaw was found in the `net/mail` package within the Go standard library. A remote attacker could provide specially crafted, pathological email addresses. When these malformed email addresses are parsed by the `consumePhrase` function, it can lead to excessive resource consumption due to quadratic string concatenation, resulting in a Denial of Service (DoS) condition.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1046 - Creation of Immutable Text Using String Concatenation
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Threats
Impact Important
CVE-2026-44486

A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-201 - Insertion of Sensitive Information Into Sent Data
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Important
CVE-2026-44487

A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-201 - Insertion of Sensitive Information Into Sent Data
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Important
CVE-2026-44488

A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-770 - Allocation of Resources Without Limits or Throttling
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Important
CVE-2026-44492

A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.

8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE-289 - Authentication Bypass by Alternate Name
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Important
CVE-2026-44494

A flaw was found in Axios. This vulnerability, a Prototype Pollution "Gadget" attack, allows an attacker to escalate any existing Object.prototype pollution in an application's dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.

8.7 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Important
CVE-2026-44495

A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.

7.0 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Important
CVE-2026-44496

A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1333 - Inefficient Regular Expression Complexity
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Important
CVE-2026-44724

A flaw was found in systeminformation, a Node.js library. This vulnerability allows a local attacker on Linux to inject arbitrary commands. This occurs when an active NetworkManager connection profile name contains shell metacharacters, which are not properly sanitized before being used in shell commands. Successful exploitation can lead to arbitrary code execution.

7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Important
CVE-2026-45736

A flaw was found in ws, an open source WebSocket client and server for Node.js. The `websocket.close()` implementation is vulnerable to uninitialized memory disclosure when a `TypedArray` is passed as the reason argument. This can lead to the disclosure of sensitive information from uninitialized memory.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-824 - Access of Uninitialized Pointer
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Threats
Impact Important
CVE-2026-47131

A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. A remote attacker can exploit this vulnerability by combining specific Buffer function calls and Node.js's ERR_INVALID_ARG_TYPE error. This allows the attacker to obtain the host's TypeError constructor, leading to an escape from the sandbox. Consequently, this enables attackers to run arbitrary code on the host system.

4.1 (Medium)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Moderate
CVE-2026-47135

A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. An attacker within the sandbox could exploit incomplete symbol interception and missing security checks to gain control over the host system. This could allow the attacker to execute arbitrary code outside the sandbox environment, leading to a complete compromise of the host.

8.7 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE-1100 - Insufficient Isolation of System-Dependent Functions
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Moderate
CVE-2026-47137

A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. A remote attacker could bypass a security check designed to prevent the combination of nested environments and disabled module loading. This bypass occurs because a strict equality check for the `require` option can be circumvented by simply omitting the option, leading to an unintended configuration. Successful exploitation of this vulnerability could allow an attacker to escape the sandbox and achieve arbitrary code execution on the host system.

4.1 (Medium)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE-480 - Use of Incorrect Operator
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Low
CVE-2026-47139

A flaw was found in vm2, a Node.js sandbox. This vulnerability allows sandboxed code to bypass network restrictions by utilizing internal HTTP built-ins, such as _http_client and _http_server. An attacker can exploit this to make outbound HTTP requests or open listening HTTP sockets, even when public network modules are explicitly denied. This could lead to unauthorized information disclosure or further compromise of the system.

8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE-1100 - Insufficient Isolation of System-Dependent Functions
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Moderate
CVE-2026-47140

A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows sandboxed code to bypass intended security restrictions by exploiting missing entries in the denylist for dangerous Node.js built-in functions, specifically `process` and `inspector/promises`. A remote attacker can leverage this to execute arbitrary code in the host process, leading to a complete compromise of the system.

4.1 (Medium)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE-184 - Incomplete List of Disallowed Inputs
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Low
CVE-2026-47141

A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. Prior to version 3.11.4, NodeVM, a component of vm2, improperly exposed certain process-wide observability builtins, such as diagnostics_channel, async_hooks, and perf_hooks. These builtins, which are designed for monitoring and debugging, were not adequately blocked by the dangerous builtin denylist. This oversight allowed sandboxed code to observe sensitive host application data, leading to information disclosure across the vm2 security boundary.

8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE-653 - Improper Isolation or Compartmentalization
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Moderate
CVE-2026-47208

A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows an attacker to escape the sandbox environment by writing malicious code. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and confidentiality of the system.

6.6 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Moderate
CVE-2026-47209

A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows an attacker to bypass security restrictions by writing dangerous cross-realm Symbol keys to host objects. This can lead to a compromise of the integrity of the host system, potentially enabling arbitrary code execution within the Node.js environment. The issue stems from the BaseHandler.set trap in bridge.js, which incorrectly writes to the host target object even when inherited property assignments should create an own property on the receiver.

8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Threats
Impact Moderate
CVE-2026-48779

A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1050 - Excessive Platform Resource Consumption within a Loop
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64
Vendor Fix fix
Workaround
Product Identifier Version Remediation
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64
Workaround
Unresolved product id: Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64
Workaround
Threats
Impact Important
References
URL Category
https://access.redhat.com/errata/RHSA-2026:33574 self
https://access.redhat.com/security/cve/CVE-2026-27145 external
https://access.redhat.com/security/cve/CVE-2026-33811 external
https://access.redhat.com/security/cve/CVE-2026-39820 external
https://access.redhat.com/security/cve/CVE-2026-42033 external
https://access.redhat.com/security/cve/CVE-2026-42035 external
https://access.redhat.com/security/cve/CVE-2026-42039 external
https://access.redhat.com/security/cve/CVE-2026-42041 external
https://access.redhat.com/security/cve/CVE-2026-42043 external
https://access.redhat.com/security/cve/CVE-2026-42044 external
https://access.redhat.com/security/cve/CVE-2026-42338 external
https://access.redhat.com/security/cve/CVE-2026-42499 external
https://access.redhat.com/security/cve/CVE-2026-44486 external
https://access.redhat.com/security/cve/CVE-2026-44487 external
https://access.redhat.com/security/cve/CVE-2026-44488 external
https://access.redhat.com/security/cve/CVE-2026-44492 external
https://access.redhat.com/security/cve/CVE-2026-44494 external
https://access.redhat.com/security/cve/CVE-2026-44495 external
https://access.redhat.com/security/cve/CVE-2026-44496 external
https://access.redhat.com/security/cve/CVE-2026-44724 external
https://access.redhat.com/security/cve/CVE-2026-45736 external
https://access.redhat.com/security/cve/CVE-2026-47131 external
https://access.redhat.com/security/cve/CVE-2026-47135 external
https://access.redhat.com/security/cve/CVE-2026-47137 external
https://access.redhat.com/security/cve/CVE-2026-47139 external
https://access.redhat.com/security/cve/CVE-2026-47140 external
https://access.redhat.com/security/cve/CVE-2026-47141 external
https://access.redhat.com/security/cve/CVE-2026-47208 external
https://access.redhat.com/security/cve/CVE-2026-47209 external
https://access.redhat.com/security/cve/CVE-2026-48779 external
https://access.redhat.com/security/cve/CVE-2026-9277 external
https://access.redhat.com/security/cve/CVE-2026-9673 external
https://access.redhat.com/security/updates/classi… external
https://catalog.redhat.com/search?gs&searchType=c… external
https://developers.redhat.com/rhdh/overview external
https://docs.redhat.com/en/documentation/red_hat_… external
https://issues.redhat.com/browse/RHDHBUGS-3081 external
https://issues.redhat.com/browse/RHDHBUGS-3369 external
https://issues.redhat.com/browse/RHIDP-13319 external
https://issues.redhat.com/browse/RHIDP-13408 external
https://issues.redhat.com/browse/RHIDP-13446 external
https://issues.redhat.com/browse/RHIDP-13451 external
https://issues.redhat.com/browse/RHIDP-13457 external
https://issues.redhat.com/browse/RHIDP-13488 external
https://issues.redhat.com/browse/RHIDP-13966 external
https://issues.redhat.com/browse/RHIDP-14572 external
https://issues.redhat.com/browse/RHIDP-14597 external
https://issues.redhat.com/browse/RHIDP-14703 external
https://issues.redhat.com/browse/RHIDP-14733 external
https://issues.redhat.com/browse/RHIDP-14735 external
https://issues.redhat.com/browse/RHIDP-14736 external
https://issues.redhat.com/browse/RHIDP-14738 external
https://issues.redhat.com/browse/RHIDP-14740 external
https://issues.redhat.com/browse/RHIDP-14743 external
https://issues.redhat.com/browse/RHIDP-14744 external
https://issues.redhat.com/browse/RHIDP-14831 external
https://issues.redhat.com/browse/RHIDP-14835 external
https://issues.redhat.com/browse/RHIDP-14837 external
https://issues.redhat.com/browse/RHIDP-14895 external
https://issues.redhat.com/browse/RHIDP-14936 external
https://issues.redhat.com/browse/RHIDP-14937 external
https://issues.redhat.com/browse/RHIDP-14939 external
https://issues.redhat.com/browse/RHIDP-14941 external
https://issues.redhat.com/browse/RHIDP-14943 external
https://issues.redhat.com/browse/RHIDP-15033 external
https://issues.redhat.com/browse/RHIDP-15039 external
https://issues.redhat.com/browse/RHIDP-15042 external
https://issues.redhat.com/browse/RHIDP-15067 external
https://issues.redhat.com/browse/RHIDP-15073 external
https://issues.redhat.com/browse/RHIDP-15145 external
https://security.access.redhat.com/data/csaf/v2/a… self
https://access.redhat.com/security/cve/CVE-2026-9277 self
https://bugzilla.redhat.com/show_bug.cgi?id=2480741 external
https://www.cve.org/CVERecord?id=CVE-2026-9277 external
https://nvd.nist.gov/vuln/detail/CVE-2026-9277 external
https://github.com/ljharb/shell-quote external
https://github.com/ljharb/shell-quote/commit/1518179 external
https://github.com/ljharb/shell-quote/security/ad… external
https://www.npmjs.com/package/shell-quote external
https://access.redhat.com/security/cve/CVE-2026-9673 self
https://bugzilla.redhat.com/show_bug.cgi?id=2482486 external
https://www.cve.org/CVERecord?id=CVE-2026-9673 external
https://nvd.nist.gov/vuln/detail/CVE-2026-9673 external
https://gist.github.com/whoamins/299745a2d36b482b… external
https://github.com/mrodrig/json-2-csv/blob/main/s… external
https://github.com/mrodrig/json-2-csv/commit/0fdd… external
https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326 external
https://access.redhat.com/security/cve/CVE-2026-27145 self
https://bugzilla.redhat.com/show_bug.cgi?id=2484207 external
https://www.cve.org/CVERecord?id=CVE-2026-27145 external
https://nvd.nist.gov/vuln/detail/CVE-2026-27145 external
https://go.dev/cl/783621 external
https://go.dev/issue/79694 external
https://groups.google.com/g/golang-announce/c/tKs… external
https://pkg.go.dev/vuln/GO-2026-5037 external
https://access.redhat.com/security/cve/CVE-2026-33811 self
https://bugzilla.redhat.com/show_bug.cgi?id=2467822 external
https://www.cve.org/CVERecord?id=CVE-2026-33811 external
https://nvd.nist.gov/vuln/detail/CVE-2026-33811 external
https://go.dev/cl/767860 external
https://go.dev/issue/78803 external
https://groups.google.com/g/golang-announce/c/qcC… external
https://pkg.go.dev/vuln/GO-2026-4981 external
https://access.redhat.com/security/cve/CVE-2026-39820 self
https://bugzilla.redhat.com/show_bug.cgi?id=2467820 external
https://www.cve.org/CVERecord?id=CVE-2026-39820 external
https://nvd.nist.gov/vuln/detail/CVE-2026-39820 external
https://go.dev/cl/759940 external
https://go.dev/issue/78566 external
https://pkg.go.dev/vuln/GO-2026-4986 external
https://access.redhat.com/security/cve/CVE-2026-42033 self
https://bugzilla.redhat.com/show_bug.cgi?id=2461607 external
https://www.cve.org/CVERecord?id=CVE-2026-42033 external
https://nvd.nist.gov/vuln/detail/CVE-2026-42033 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-42035 self
https://bugzilla.redhat.com/show_bug.cgi?id=2461606 external
https://www.cve.org/CVERecord?id=CVE-2026-42035 external
https://nvd.nist.gov/vuln/detail/CVE-2026-42035 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-42039 self
https://bugzilla.redhat.com/show_bug.cgi?id=2461630 external
https://www.cve.org/CVERecord?id=CVE-2026-42039 external
https://nvd.nist.gov/vuln/detail/CVE-2026-42039 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-42041 self
https://bugzilla.redhat.com/show_bug.cgi?id=2461629 external
https://www.cve.org/CVERecord?id=CVE-2026-42041 external
https://nvd.nist.gov/vuln/detail/CVE-2026-42041 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-42043 self
https://bugzilla.redhat.com/show_bug.cgi?id=2461626 external
https://www.cve.org/CVERecord?id=CVE-2026-42043 external
https://nvd.nist.gov/vuln/detail/CVE-2026-42043 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-42044 self
https://bugzilla.redhat.com/show_bug.cgi?id=2461624 external
https://www.cve.org/CVERecord?id=CVE-2026-42044 external
https://nvd.nist.gov/vuln/detail/CVE-2026-42044 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-42338 self
https://bugzilla.redhat.com/show_bug.cgi?id=2476810 external
https://www.cve.org/CVERecord?id=CVE-2026-42338 external
https://nvd.nist.gov/vuln/detail/CVE-2026-42338 external
https://github.com/beaugunderson/ip-address/secur… external
https://access.redhat.com/security/cve/CVE-2026-42499 self
https://bugzilla.redhat.com/show_bug.cgi?id=2467809 external
https://www.cve.org/CVERecord?id=CVE-2026-42499 external
https://nvd.nist.gov/vuln/detail/CVE-2026-42499 external
https://go.dev/cl/771520 external
https://go.dev/issue/78987 external
https://pkg.go.dev/vuln/GO-2026-4977 external
https://access.redhat.com/security/cve/CVE-2026-44486 self
https://bugzilla.redhat.com/show_bug.cgi?id=2487947 external
https://www.cve.org/CVERecord?id=CVE-2026-44486 external
https://nvd.nist.gov/vuln/detail/CVE-2026-44486 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-44487 self
https://bugzilla.redhat.com/show_bug.cgi?id=2487948 external
https://www.cve.org/CVERecord?id=CVE-2026-44487 external
https://nvd.nist.gov/vuln/detail/CVE-2026-44487 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-44488 self
https://bugzilla.redhat.com/show_bug.cgi?id=2487949 external
https://www.cve.org/CVERecord?id=CVE-2026-44488 external
https://nvd.nist.gov/vuln/detail/CVE-2026-44488 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-44492 self
https://bugzilla.redhat.com/show_bug.cgi?id=2487938 external
https://www.cve.org/CVERecord?id=CVE-2026-44492 external
https://nvd.nist.gov/vuln/detail/CVE-2026-44492 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-44494 self
https://bugzilla.redhat.com/show_bug.cgi?id=2487942 external
https://www.cve.org/CVERecord?id=CVE-2026-44494 external
https://nvd.nist.gov/vuln/detail/CVE-2026-44494 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-44495 self
https://bugzilla.redhat.com/show_bug.cgi?id=2487937 external
https://www.cve.org/CVERecord?id=CVE-2026-44495 external
https://nvd.nist.gov/vuln/detail/CVE-2026-44495 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-44496 self
https://bugzilla.redhat.com/show_bug.cgi?id=2487943 external
https://www.cve.org/CVERecord?id=CVE-2026-44496 external
https://nvd.nist.gov/vuln/detail/CVE-2026-44496 external
https://github.com/axios/axios/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-44724 self
https://bugzilla.redhat.com/show_bug.cgi?id=2482416 external
https://www.cve.org/CVERecord?id=CVE-2026-44724 external
https://nvd.nist.gov/vuln/detail/CVE-2026-44724 external
https://github.com/sebhildebrandt/systeminformati… external
https://access.redhat.com/security/cve/CVE-2026-45736 self
https://bugzilla.redhat.com/show_bug.cgi?id=2477914 external
https://www.cve.org/CVERecord?id=CVE-2026-45736 external
https://nvd.nist.gov/vuln/detail/CVE-2026-45736 external
https://github.com/websockets/ws/commit/c0327ec15… external
https://github.com/websockets/ws/security/advisor… external
https://access.redhat.com/security/cve/CVE-2026-47131 self
https://bugzilla.redhat.com/show_bug.cgi?id=2488393 external
https://www.cve.org/CVERecord?id=CVE-2026-47131 external
https://nvd.nist.gov/vuln/detail/CVE-2026-47131 external
https://github.com/patriksimek/vm2/commit/27c525f… external
https://github.com/patriksimek/vm2/releases/tag/v3.11.4 external
https://github.com/patriksimek/vm2/security/advis… external
https://access.redhat.com/security/cve/CVE-2026-47135 self
https://bugzilla.redhat.com/show_bug.cgi?id=2488396 external
https://www.cve.org/CVERecord?id=CVE-2026-47135 external
https://nvd.nist.gov/vuln/detail/CVE-2026-47135 external
https://github.com/patriksimek/vm2/commit/928aef5… external
https://github.com/patriksimek/vm2/security/advis… external
https://access.redhat.com/security/cve/CVE-2026-47137 self
https://bugzilla.redhat.com/show_bug.cgi?id=2488385 external
https://www.cve.org/CVERecord?id=CVE-2026-47137 external
https://nvd.nist.gov/vuln/detail/CVE-2026-47137 external
https://github.com/advisories/GHSA-g644-9gfx-q4q4 external
https://github.com/patriksimek/vm2/commit/01a7552… external
https://github.com/patriksimek/vm2/commit/86ab819… external
https://github.com/patriksimek/vm2/security/advis… external
https://access.redhat.com/security/cve/CVE-2026-47139 self
https://bugzilla.redhat.com/show_bug.cgi?id=2488387 external
https://www.cve.org/CVERecord?id=CVE-2026-47139 external
https://nvd.nist.gov/vuln/detail/CVE-2026-47139 external
https://github.com/patriksimek/vm2/commit/436053e… external
https://github.com/patriksimek/vm2/security/advis… external
https://access.redhat.com/security/cve/CVE-2026-47140 self
https://bugzilla.redhat.com/show_bug.cgi?id=2488381 external
https://www.cve.org/CVERecord?id=CVE-2026-47140 external
https://nvd.nist.gov/vuln/detail/CVE-2026-47140 external
https://github.com/patriksimek/vm2/commit/a1ed47a… external
https://github.com/patriksimek/vm2/security/advis… external
https://access.redhat.com/security/cve/CVE-2026-47141 self
https://bugzilla.redhat.com/show_bug.cgi?id=2488379 external
https://www.cve.org/CVERecord?id=CVE-2026-47141 external
https://nvd.nist.gov/vuln/detail/CVE-2026-47141 external
https://github.com/patriksimek/vm2/commit/e1c48fc… external
https://github.com/patriksimek/vm2/security/advis… external
https://access.redhat.com/security/cve/CVE-2026-47208 self
https://bugzilla.redhat.com/show_bug.cgi?id=2488382 external
https://www.cve.org/CVERecord?id=CVE-2026-47208 external
https://nvd.nist.gov/vuln/detail/CVE-2026-47208 external
https://github.com/patriksimek/vm2/commit/a462655… external
https://github.com/patriksimek/vm2/security/advis… external
https://access.redhat.com/security/cve/CVE-2026-47209 self
https://bugzilla.redhat.com/show_bug.cgi?id=2488397 external
https://www.cve.org/CVERecord?id=CVE-2026-47209 external
https://nvd.nist.gov/vuln/detail/CVE-2026-47209 external
https://github.com/patriksimek/vm2/commit/26d0318… external
https://github.com/patriksimek/vm2/security/advis… external
https://access.redhat.com/security/cve/CVE-2026-48779 self
https://bugzilla.redhat.com/show_bug.cgi?id=2489661 external
https://www.cve.org/CVERecord?id=CVE-2026-48779 external
https://nvd.nist.gov/vuln/detail/CVE-2026-48779 external
https://github.com/websockets/ws/commit/86d3e8a5f… external
https://github.com/websockets/ws/commit/b5372ac67… external
https://github.com/websockets/ws/commit/bca91adf1… external
https://github.com/websockets/ws/commit/fd36cd864… external
https://github.com/websockets/ws/security/advisor… external
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat Developer Hub 1.9.6 has been released.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:33574",
        "url": "https://access.redhat.com/errata/RHSA-2026:33574"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-27145",
        "url": "https://access.redhat.com/security/cve/CVE-2026-27145"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-33811",
        "url": "https://access.redhat.com/security/cve/CVE-2026-33811"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-39820",
        "url": "https://access.redhat.com/security/cve/CVE-2026-39820"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42033",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42033"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42035",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42035"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42039",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42039"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42041",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42041"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42043",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42043"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42044",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42044"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42338",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42338"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42499",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42499"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44486",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44486"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44487",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44487"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44488",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44488"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44492",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44492"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44494",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44494"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44495",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44495"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44496",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44496"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-44724",
        "url": "https://access.redhat.com/security/cve/CVE-2026-44724"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-45736",
        "url": "https://access.redhat.com/security/cve/CVE-2026-45736"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-47131",
        "url": "https://access.redhat.com/security/cve/CVE-2026-47131"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-47135",
        "url": "https://access.redhat.com/security/cve/CVE-2026-47135"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-47137",
        "url": "https://access.redhat.com/security/cve/CVE-2026-47137"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-47139",
        "url": "https://access.redhat.com/security/cve/CVE-2026-47139"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-47140",
        "url": "https://access.redhat.com/security/cve/CVE-2026-47140"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-47141",
        "url": "https://access.redhat.com/security/cve/CVE-2026-47141"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-47208",
        "url": "https://access.redhat.com/security/cve/CVE-2026-47208"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-47209",
        "url": "https://access.redhat.com/security/cve/CVE-2026-47209"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-48779",
        "url": "https://access.redhat.com/security/cve/CVE-2026-48779"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-9277",
        "url": "https://access.redhat.com/security/cve/CVE-2026-9277"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-9673",
        "url": "https://access.redhat.com/security/cve/CVE-2026-9673"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh",
        "url": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh"
      },
      {
        "category": "external",
        "summary": "https://developers.redhat.com/rhdh/overview",
        "url": "https://developers.redhat.com/rhdh/overview"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_developer_hub",
        "url": "https://docs.redhat.com/en/documentation/red_hat_developer_hub"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHDHBUGS-3081",
        "url": "https://issues.redhat.com/browse/RHDHBUGS-3081"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHDHBUGS-3369",
        "url": "https://issues.redhat.com/browse/RHDHBUGS-3369"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-13319",
        "url": "https://issues.redhat.com/browse/RHIDP-13319"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-13408",
        "url": "https://issues.redhat.com/browse/RHIDP-13408"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-13446",
        "url": "https://issues.redhat.com/browse/RHIDP-13446"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-13451",
        "url": "https://issues.redhat.com/browse/RHIDP-13451"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-13457",
        "url": "https://issues.redhat.com/browse/RHIDP-13457"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-13488",
        "url": "https://issues.redhat.com/browse/RHIDP-13488"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-13966",
        "url": "https://issues.redhat.com/browse/RHIDP-13966"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14572",
        "url": "https://issues.redhat.com/browse/RHIDP-14572"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14597",
        "url": "https://issues.redhat.com/browse/RHIDP-14597"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14703",
        "url": "https://issues.redhat.com/browse/RHIDP-14703"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14733",
        "url": "https://issues.redhat.com/browse/RHIDP-14733"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14735",
        "url": "https://issues.redhat.com/browse/RHIDP-14735"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14736",
        "url": "https://issues.redhat.com/browse/RHIDP-14736"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14738",
        "url": "https://issues.redhat.com/browse/RHIDP-14738"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14740",
        "url": "https://issues.redhat.com/browse/RHIDP-14740"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14743",
        "url": "https://issues.redhat.com/browse/RHIDP-14743"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14744",
        "url": "https://issues.redhat.com/browse/RHIDP-14744"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14831",
        "url": "https://issues.redhat.com/browse/RHIDP-14831"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14835",
        "url": "https://issues.redhat.com/browse/RHIDP-14835"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14837",
        "url": "https://issues.redhat.com/browse/RHIDP-14837"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14895",
        "url": "https://issues.redhat.com/browse/RHIDP-14895"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14936",
        "url": "https://issues.redhat.com/browse/RHIDP-14936"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14937",
        "url": "https://issues.redhat.com/browse/RHIDP-14937"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14939",
        "url": "https://issues.redhat.com/browse/RHIDP-14939"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14941",
        "url": "https://issues.redhat.com/browse/RHIDP-14941"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-14943",
        "url": "https://issues.redhat.com/browse/RHIDP-14943"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-15033",
        "url": "https://issues.redhat.com/browse/RHIDP-15033"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-15039",
        "url": "https://issues.redhat.com/browse/RHIDP-15039"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-15042",
        "url": "https://issues.redhat.com/browse/RHIDP-15042"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-15067",
        "url": "https://issues.redhat.com/browse/RHIDP-15067"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-15073",
        "url": "https://issues.redhat.com/browse/RHIDP-15073"
      },
      {
        "category": "external",
        "summary": "https://issues.redhat.com/browse/RHIDP-15145",
        "url": "https://issues.redhat.com/browse/RHIDP-15145"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_33574.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Developer Hub 1.9.6 release.",
    "tracking": {
      "current_release_date": "2026-06-30T18:11:53+00:00",
      "generator": {
        "date": "2026-06-30T18:11:53+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.3.1"
        }
      },
      "id": "RHSA-2026:33574",
      "initial_release_date": "2026-06-30T15:00:33+00:00",
      "revision_history": [
        {
          "date": "2026-06-30T15:00:33+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-30T15:00:39+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-30T18:11:53+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Developer Hub 1.9",
                "product": {
                  "name": "Red Hat Developer Hub 1.9",
                  "product_id": "Red Hat Developer Hub 1.9",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhdh:1.9::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Developer Hub"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
                "product": {
                  "name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
                  "product_id": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhdh-hub-rhel9@sha256%3A044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-hub-rhel9\u0026tag=1782761244"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64",
                "product": {
                  "name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64",
                  "product_id": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhdh-rhel9-operator@sha256%3A219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-rhel9-operator\u0026tag=1782767215"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
                "product": {
                  "name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
                  "product_id": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhdh-operator-bundle@sha256%3A66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893?arch=amd64\u0026repository_url=registry.redhat.io/rhdh/rhdh-operator-bundle\u0026tag=1782772967"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64 as a component of Red Hat Developer Hub 1.9",
          "product_id": "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        },
        "product_reference": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
        "relates_to_product_reference": "Red Hat Developer Hub 1.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64 as a component of Red Hat Developer Hub 1.9",
          "product_id": "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64"
        },
        "product_reference": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
        "relates_to_product_reference": "Red Hat Developer Hub 1.9"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64 as a component of Red Hat Developer Hub 1.9",
          "product_id": "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        },
        "product_reference": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64",
        "relates_to_product_reference": "Red Hat Developer Hub 1.9"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-9277",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "discovery_date": "2026-05-22T14:01:14.427751+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2480741"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the shell-quote component. The quote() function did not properly validate object-token inputs, allowing line terminators to pass unescaped into the output. A remote attacker could exploit this vulnerability by providing specially crafted input, which a POSIX shell would interpret as a command separator. This could lead to command injection, enabling the attacker to execute arbitrary code on the system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-9277"
        },
        {
          "category": "external",
          "summary": "RHBZ#2480741",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480741"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-9277",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-9277"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277"
        },
        {
          "category": "external",
          "summary": "https://github.com/ljharb/shell-quote",
          "url": "https://github.com/ljharb/shell-quote"
        },
        {
          "category": "external",
          "summary": "https://github.com/ljharb/shell-quote/commit/1518179",
          "url": "https://github.com/ljharb/shell-quote/commit/1518179"
        },
        {
          "category": "external",
          "summary": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p",
          "url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p"
        },
        {
          "category": "external",
          "summary": "https://www.npmjs.com/package/shell-quote",
          "url": "https://www.npmjs.com/package/shell-quote"
        }
      ],
      "release_date": "2026-05-22T13:22:38.873000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators"
    },
    {
      "cve": "CVE-2026-9673",
      "cwe": {
        "id": "CWE-1236",
        "name": "Improper Neutralization of Formula Elements in a CSV File"
      },
      "discovery_date": "2026-05-28T06:01:00.245616+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2482486"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in json-2-csv. An attacker can bypass the `preventCsvInjection` option to inject malicious formulas into CSV (Comma Separated Values) files. When these manipulated CSV files are opened in spreadsheet applications, the injected formulas can execute, potentially leading to arbitrary code execution or information disclosure.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "json-2-csv: json-2-csv: CSV Injection vulnerability allows arbitrary code execution via `preventCsvInjection` bypass.",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This Moderate vulnerability in `json-2-csv` allows for CSV Injection due to a bypass in the `preventCsvInjection` option. While exploitation requires a user to open a specially crafted CSV file in a spreadsheet application, successful attacks could lead to arbitrary code execution or information disclosure. This affects Red Hat Developer Hub and Red Hat Ansible Automation Platform when processing untrusted data that is subsequently exported to CSV and opened by a user.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-9673"
        },
        {
          "category": "external",
          "summary": "RHBZ#2482486",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482486"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-9673",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-9673"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9673",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9673"
        },
        {
          "category": "external",
          "summary": "https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613",
          "url": "https://gist.github.com/whoamins/299745a2d36b482b44e9613b78e40613"
        },
        {
          "category": "external",
          "summary": "https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410",
          "url": "https://github.com/mrodrig/json-2-csv/blob/main/src/json2csv.ts%23L410"
        },
        {
          "category": "external",
          "summary": "https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229",
          "url": "https://github.com/mrodrig/json-2-csv/commit/0fdd0bb6d0273178cd940afc323ccbce19688229"
        },
        {
          "category": "external",
          "summary": "https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326",
          "url": "https://security.snyk.io/vuln/SNYK-JS-JSON2CSV-14221326"
        }
      ],
      "release_date": "2026-05-28T05:00:02.387000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "json-2-csv: json-2-csv: CSV Injection vulnerability allows arbitrary code execution via `preventCsvInjection` bypass."
    },
    {
      "cve": "CVE-2026-27145",
      "cwe": {
        "id": "CWE-606",
        "name": "Unchecked Input for Loop Condition"
      },
      "discovery_date": "2026-06-02T23:01:08.992540+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2484207"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the `crypto/x509` package of `golang`. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by presenting a specially crafted X.509 certificate with a large number of DNS Subject Alternative Name (SAN) entries. The certificate verification process, specifically the `VerifyHostname` function, incurs excessive computational overhead due to repeated string operations when processing these entries. This can lead to a significant performance degradation or unresponsiveness of systems validating such certificates.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "crypto/x509: golang: golang crypto/x509: Denial of Service via excessive processing of DNS SAN entries",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "A flaw was found in the Go standard library crypto/x509 package. When verifying a TLS certificate hostname, VerifyHostname processed each DNS Subject Alternative Name (SAN) entry in a loop and repeatedly split the candidate hostname on \".\" characters. For certificates with a very large DNS SAN list, CPU use could grow quadratically with the number of SAN entries and hostname labels. Because hostname verification runs before the certificate chain is built, this overhead can occur even when the certificate is not trusted.\n\nRed Hat rates this issue as Important. It affects Red Hat products that include the Go standard library crypto/x509 code from an affected Go toolchain version (before Go 1.25.11, or from Go 1.26.0 through Go 1.26.3). Applications and container images built with a fixed Go release (1.25.11 or later, or 1.26.4 or later) are not affected. Community distributions such as Fedora are also affected.\n\nUpstream fix: Go 1.25.11 and Go 1.26.4 (GO-2026-5037).",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-27145"
        },
        {
          "category": "external",
          "summary": "RHBZ#2484207",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484207"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-27145",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-27145"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27145",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27145"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/783621",
          "url": "https://go.dev/cl/783621"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/79694",
          "url": "https://go.dev/issue/79694"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw",
          "url": "https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-5037",
          "url": "https://pkg.go.dev/vuln/GO-2026-5037"
        }
      ],
      "release_date": "2026-06-02T22:01:36.954000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "A flaw was found in the Go standard library crypto/x509 package. When verifying a TLS certificate hostname, VerifyHostname processed each DNS Subject Alternative Name (SAN) entry in a loop and repeatedly split the candidate hostname on \".\" characters. For certificates with a very large DNS SAN list, CPU use could grow quadratically with the number of SAN entries and hostname labels. Because hostname verification runs before the certificate chain is built, this overhead can occur even when the certificate is not trusted.\n\nRed Hat rates this issue as Important. It affects Red Hat products that include the Go standard library crypto/x509 code from an affected Go toolchain version (before Go 1.25.11, or from Go 1.26.0 through Go 1.26.3). Applications and container images built with a fixed Go release (1.25.11 or later, or 1.26.4 or later) are not affected. Community distributions such as Fedora are also affected.\n\nUpstream fix: Go 1.25.11 and Go 1.26.4 (GO-2026-5037).",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "crypto/x509: golang: golang crypto/x509: Denial of Service via excessive processing of DNS SAN entries"
    },
    {
      "cve": "CVE-2026-33811",
      "cwe": {
        "id": "CWE-1341",
        "name": "Multiple Releases of Same Resource or Handle"
      },
      "discovery_date": "2026-05-07T20:01:34.913869+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2467822"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the `net` package of Go (golang), specifically when using the `LookupCNAME` function with the `cgo` DNS resolver. A remote attacker could exploit this by providing a very long Canonical Name (CNAME) response. This can trigger a double-free of C memory, leading to a crash and a Denial of Service (DoS) for the affected application.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "net: golang: Go net package: Denial of Service via long CNAME response in LookupCNAME",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important denial of service vulnerability in the Go `net` package, affecting applications configured to use the `cgo` DNS resolver. A remote attacker could trigger a double-free memory error by providing a very long CNAME response, leading to a crash of the vulnerable application and impacting service availability.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33811"
        },
        {
          "category": "external",
          "summary": "RHBZ#2467822",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467822"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33811",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33811"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33811",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33811"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/767860",
          "url": "https://go.dev/cl/767860"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/78803",
          "url": "https://go.dev/issue/78803"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M",
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4981",
          "url": "https://pkg.go.dev/vuln/GO-2026-4981"
        }
      ],
      "release_date": "2026-05-07T19:41:19.285000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, applications can be configured to use the pure Go DNS resolver instead of the `cgo` DNS resolver. This can be achieved by setting the `GODEBUG` environment variable to `netdns=go`. For example, to run a Go application with this mitigation: `GODEBUG=netdns=go /path/to/your/go/application`. This change may require restarting affected applications or services to take effect. Users should verify that this change does not negatively impact DNS resolution for their specific application environment.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "net: golang: Go net package: Denial of Service via long CNAME response in LookupCNAME"
    },
    {
      "cve": "CVE-2026-39820",
      "cwe": {
        "id": "CWE-606",
        "name": "Unchecked Input for Loop Condition"
      },
      "discovery_date": "2026-05-07T20:01:27.800929+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2467820"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the `net/mail` package of the Go programming language. An attacker could provide specially crafted inputs to the `ParseAddress`, `ParseAddressList`, or `ParseDate` functions. This could lead to excessive consumption of CPU and memory resources, resulting in a Denial of Service (DoS) for applications processing these inputs.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "net/mail: golang: Go net/mail: Denial of Service via crafted email inputs",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important denial of service vulnerability in the Go `net/mail` package. Applications processing untrusted email inputs via `ParseAddress`, `ParseAddressList`, or `ParseDate` functions are susceptible to excessive resource consumption, which can lead to service unavailability.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-39820"
        },
        {
          "category": "external",
          "summary": "RHBZ#2467820",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467820"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-39820",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-39820"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39820",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39820"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/759940",
          "url": "https://go.dev/cl/759940"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/78566",
          "url": "https://go.dev/issue/78566"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M",
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4986",
          "url": "https://pkg.go.dev/vuln/GO-2026-4986"
        }
      ],
      "release_date": "2026-05-07T19:41:19.854000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "net/mail: golang: Go net/mail: Denial of Service via crafted email inputs"
    },
    {
      "cve": "CVE-2026-42033",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-04-24T18:01:20.937507+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461607"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HTTP communication. This could lead to unauthorized access to sensitive information like user credentials and request details.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42033"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461607",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461607"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42033",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42033"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"
        }
      ],
      "release_date": "2026-04-24T17:36:44.132000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: HTTP Transport Hijacking via Prototype Pollution"
    },
    {
      "cve": "CVE-2026-42035",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-04-24T18:01:17.109481+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461606"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application\u0027s core object definitions are manipulated, causing Axios to misinterpret data and include attacker-controlled headers in network communications. This could lead to unauthorized actions or data manipulation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Arbitrary HTTP header injection via prototype pollution",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42035"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461606",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461606"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42035",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42035"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"
        }
      ],
      "release_date": "2026-04-24T17:38:07.752000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "axios: Axios: Arbitrary HTTP header injection via prototype pollution"
    },
    {
      "cve": "CVE-2026-42039",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-04-24T19:01:44.887156+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461630"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the `toFormData` function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js process to crash due to a RangeError, leading to a potential Denial of Service (DoS) if the process crashes.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42039"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461630",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461630"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42039",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42039"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"
        }
      ],
      "release_date": "2026-04-24T18:01:30.775000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data"
    },
    {
      "cve": "CVE-2026-42041",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-04-24T19:01:41.034289+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461629"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to manipulate the `Object.prototype.validateStatus` property. By polluting this property, all HTTP error responses (such as 401, 403, or 500) are silently treated as successful responses. This can lead to a complete bypass of application-level authentication and error handling, potentially granting unauthorized access.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42041"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461629",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461629"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42041",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42041"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63"
        }
      ],
      "release_date": "2026-04-24T17:55:30.036000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling"
    },
    {
      "cve": "CVE-2026-42043",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "discovery_date": "2026-04-24T19:01:22.552379+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461626"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. An attacker who can control the destination address of an Axios request can exploit this vulnerability. By using specific internal network addresses (within the 127.0.0.0/8 range, excluding 127.0.0.1), the attacker can completely bypass the NO_PROXY protection, potentially leading to unauthorized access or information disclosure within the network. This issue is an incomplete fix for a previous vulnerability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: NO_PROXY bypass via crafted URL",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42043"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461626",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461626"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42043",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42043"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7"
        }
      ],
      "release_date": "2026-04-24T17:54:42.668000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: NO_PROXY bypass via crafted URL"
    },
    {
      "cve": "CVE-2026-42044",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-04-24T19:01:13.418725+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2461624"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a widely used HTTP client. This vulnerability, known as a Prototype Pollution \"Gadget\" attack, allows a remote attacker to subtly alter JSON API responses. By manipulating a specific function, an attacker can selectively modify data within these responses. This could lead to significant security breaches, including unauthorized privilege escalation, fraudulent balance manipulation, or bypassing critical authorization checks.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42044"
        },
        {
          "category": "external",
          "summary": "RHBZ#2461624",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461624"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42044",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42044"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"
        }
      ],
      "release_date": "2026-04-24T17:49:49.517000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget"
    },
    {
      "cve": "CVE-2026-42338",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2026-05-12T21:01:14.436876+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2476810"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user\u0027s browser.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42338"
        },
        {
          "category": "external",
          "summary": "RHBZ#2476810",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476810"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42338",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42338"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
        },
        {
          "category": "external",
          "summary": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g",
          "url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
        }
      ],
      "release_date": "2026-05-12T19:43:16.470000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input"
    },
    {
      "cve": "CVE-2026-42499",
      "cwe": {
        "id": "CWE-1046",
        "name": "Creation of Immutable Text Using String Concatenation"
      },
      "discovery_date": "2026-05-07T20:00:51.685602+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2467809"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the `net/mail` package within the Go standard library. A remote attacker could provide specially crafted, pathological email addresses. When these malformed email addresses are parsed by the `consumePhrase` function, it can lead to excessive resource consumption due to quadratic string concatenation, resulting in a Denial of Service (DoS) condition.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "net/mail: golang: net/mail: Denial of Service via pathological email address parsing",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important denial of service vulnerability in the `net/mail` package of the Go standard library. A remote attacker can exploit this flaw by sending specially crafted email addresses, leading to excessive resource consumption and a denial of service in Go applications that parse email addresses using the affected library.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42499"
        },
        {
          "category": "external",
          "summary": "RHBZ#2467809",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467809"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42499",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42499"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42499",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42499"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/771520",
          "url": "https://go.dev/cl/771520"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/78987",
          "url": "https://go.dev/issue/78987"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M",
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2026-4977",
          "url": "https://pkg.go.dev/vuln/GO-2026-4977"
        }
      ],
      "release_date": "2026-05-07T19:41:18.615000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "net/mail: golang: net/mail: Denial of Service via pathological email address parsing"
    },
    {
      "cve": "CVE-2026-44486",
      "cwe": {
        "id": "CWE-201",
        "name": "Insertion of Sensitive Information Into Sent Data"
      },
      "discovery_date": "2026-06-11T17:01:30.944384+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487947"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client, specifically in its Node.js HTTP adapter. When Axios is configured to use an authenticated proxy and follows a redirect, it may inadvertently send the Proxy-Authorization header, containing proxy credentials, to the redirect target. This can lead to the disclosure of sensitive proxy credentials to an unintended remote server.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44486"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487947",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487947"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44486",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44486"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44486"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc"
        }
      ],
      "release_date": "2026-06-11T15:39:07.714000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Information disclosure of proxy credentials via HTTP redirects"
    },
    {
      "cve": "CVE-2026-44487",
      "cwe": {
        "id": "CWE-201",
        "name": "Insertion of Sensitive Information Into Sent Data"
      },
      "discovery_date": "2026-06-11T17:01:34.091476+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487948"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios. During specific proxy-to-direct redirect flows in the Node.js HTTP adapter, a remote attacker could exploit this vulnerability. The Proxy-Authorization header, which contains proxy credentials and is intended only for the outbound proxy, may be forwarded to the final redirected origin. This can lead to the disclosure of sensitive proxy credentials to an unintended third party.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Information disclosure of proxy credentials via redirect flows",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44487"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487948",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487948"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44487",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44487"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44487"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v"
        }
      ],
      "release_date": "2026-06-11T15:38:25.150000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Information disclosure of proxy credentials via redirect flows"
    },
    {
      "cve": "CVE-2026-44488",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-06-11T17:01:36.836488+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487949"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. When using the fetch adapter, Axios did not properly enforce configured request and response size limits. This vulnerability allows a remote attacker, through a malicious or compromised server, or by supplying a large data URL, to send or receive oversized data bodies. This can lead to resource exhaustion in server-side applications, resulting in a Denial of Service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Denial of Service due to unenforced request and response size limits",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44488"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487949",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487949"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44488",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44488"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44488"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-777c-7fjr-54vf"
        }
      ],
      "release_date": "2026-06-11T15:37:38.013000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Denial of Service due to unenforced request and response size limits"
    },
    {
      "cve": "CVE-2026-44492",
      "cwe": {
        "id": "CWE-289",
        "name": "Authentication Bypass by Alternate Name"
      },
      "discovery_date": "2026-06-11T17:00:56.761751+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487938"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not properly normalize IPv4-mapped IPv6 addresses. When a NO_PROXY setting is configured to block direct access to specific IPv4 addresses, an attacker can bypass this restriction by using the IPv4-mapped IPv6 form of the address in a request URL. This allows the request to be routed through the proxy, potentially exposing internal services or sensitive information that should otherwise be inaccessible.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44492"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487938",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487938"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44492",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44492"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44492"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv"
        }
      ],
      "release_date": "2026-06-11T15:29:13.890000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization"
    },
    {
      "cve": "CVE-2026-44494",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-06-11T17:01:12.945664+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487942"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios. This vulnerability, a Prototype Pollution \"Gadget\" attack, allows an attacker to escalate any existing Object.prototype pollution in an application\u0027s dependency tree into a full Man-in-the-Middle (MITM) attack. This enables the attacker to intercept, read, and modify all HTTP traffic, including sensitive authentication credentials. The flaw occurs because the `config.proxy` setting is susceptible to prototype pollution, allowing an attacker to inject a malicious proxy server.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44494"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487942",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487942"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44494",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44494"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44494"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-35jp-ww65-95wh"
        }
      ],
      "release_date": "2026-06-11T15:32:03.155000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution"
    },
    {
      "cve": "CVE-2026-44495",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-06-11T17:00:53.999811+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487937"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this inherited value as part of the request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Information disclosure due to prototype pollution vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44495"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487937",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487937"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44495",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44495"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44495"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw"
        }
      ],
      "release_date": "2026-06-11T15:33:12.433000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Information disclosure due to prototype pollution vulnerability"
    },
    {
      "cve": "CVE-2026-44496",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "discovery_date": "2026-06-11T17:01:15.856386+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2487943"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Axios. A remote attacker, by influencing the XSRF cookie name in a browser environment, could cause the application to construct a regular expression that leads to excessive processing. This can result in a client-side Denial of Service (DoS), where the affected browser tab may freeze, impacting the availability of the application for the user.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44496"
        },
        {
          "category": "external",
          "summary": "RHBZ#2487943",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487943"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44496",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44496"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44496"
        },
        {
          "category": "external",
          "summary": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf",
          "url": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf"
        }
      ],
      "release_date": "2026-06-11T15:34:28.492000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name"
    },
    {
      "cve": "CVE-2026-44724",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "discovery_date": "2026-05-27T21:02:14.837088+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2482416"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in systeminformation, a Node.js library. This vulnerability allows a local attacker on Linux to inject arbitrary commands. This occurs when an active NetworkManager connection profile name contains shell metacharacters, which are not properly sanitized before being used in shell commands. Successful exploitation can lead to arbitrary code execution.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "systeminformation: systeminformation: Command injection via NetworkManager connection profile name",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-44724"
        },
        {
          "category": "external",
          "summary": "RHBZ#2482416",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482416"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-44724",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44724"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44724",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44724"
        },
        {
          "category": "external",
          "summary": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-hvx9-hwr7-wjj9",
          "url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-hvx9-hwr7-wjj9"
        }
      ],
      "release_date": "2026-05-27T19:26:28.392000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "systeminformation: systeminformation: Command injection via NetworkManager connection profile name"
    },
    {
      "cve": "CVE-2026-45736",
      "cwe": {
        "id": "CWE-824",
        "name": "Access of Uninitialized Pointer"
      },
      "discovery_date": "2026-05-15T16:00:55.786944+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2477914"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in ws, an open source WebSocket client and server for Node.js. The `websocket.close()` implementation is vulnerable to uninitialized memory disclosure when a `TypedArray` is passed as the reason argument. This can lead to the disclosure of sensitive information from uninitialized memory.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This Important vulnerability in the `ws` WebSocket library for Node.js could lead to sensitive information disclosure. The flaw occurs when a `TypedArray` is specifically provided as the `reason` argument to the `websocket.close()` function, potentially exposing uninitialized memory. Red Hat products utilizing this library may be affected if their implementations allow for such a crafted `close()` call.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-45736"
        },
        {
          "category": "external",
          "summary": "RHBZ#2477914",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477914"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-45736",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45736"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-45736",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45736"
        },
        {
          "category": "external",
          "summary": "https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086",
          "url": "https://github.com/websockets/ws/commit/c0327ec15a54d701eb6ccefaa8bef328cfc03086"
        },
        {
          "category": "external",
          "summary": "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx",
          "url": "https://github.com/websockets/ws/security/advisories/GHSA-58qx-3vcg-4xpx"
        }
      ],
      "release_date": "2026-05-15T14:53:57.263000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`"
    },
    {
      "cve": "CVE-2026-47131",
      "cwe": {
        "id": "CWE-843",
        "name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
      },
      "discovery_date": "2026-06-12T15:01:52.744009+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2488393"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. A remote attacker can exploit this vulnerability by combining specific Buffer function calls and Node.js\u0027s ERR_INVALID_ARG_TYPE error. This allows the attacker to obtain the host\u0027s TypeError constructor, leading to an escape from the sandbox. Consequently, this enables attackers to run arbitrary code on the host system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "vm2: vm2: Arbitrary code execution via sandbox escape vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The Red Hat Product Security team has rated the impact of this vulnerability as Moderate in Red Hat Developer Hub and Ansible Automation Platform.The affected package is present in both products as a transitive dependency; however, the vulnerable sandbox functionality is not invoked in any production code path. The active sandboxing mechanism used by both products does not rely on this package, and user-supplied input cannot reach the vulnerable code under a standard deployment. Exploitation would require an attacker to independently route arbitrary JavaScript into the sandbox runtime, a condition not present in the default configuration of either product.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-47131"
        },
        {
          "category": "external",
          "summary": "RHBZ#2488393",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488393"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-47131",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47131"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47131",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47131"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/commit/27c525f4615e2b983f122e2bed327d810126f5c8",
          "url": "https://github.com/patriksimek/vm2/commit/27c525f4615e2b983f122e2bed327d810126f5c8"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
          "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v6mx-mf47-r5wg",
          "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-v6mx-mf47-r5wg"
        }
      ],
      "release_date": "2026-06-12T14:14:17.037000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "vm2: vm2: Arbitrary code execution via sandbox escape vulnerability"
    },
    {
      "cve": "CVE-2026-47135",
      "cwe": {
        "id": "CWE-1100",
        "name": "Insufficient Isolation of System-Dependent Functions"
      },
      "discovery_date": "2026-06-12T15:02:02.154869+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2488396"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. An attacker within the sandbox could exploit incomplete symbol interception and missing security checks to gain control over the host system. This could allow the attacker to execute arbitrary code outside the sandbox environment, leading to a complete compromise of the host.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "vm2: vm2: Sandbox escape allows arbitrary code execution on the host system",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability has been rated as Moderate for Red Hat Developer Hub and Red Hat Ansible Automation Platform. The vm2 sandbox exists as a transitive dependency in Red Hat Developer Hub and is only utilized during build time. The sandbox is therefore not exposed on the production code path. Exploitation of this vulnerability requires attackers to write cross-realm symbol keys to host objects which is not possible in the default configuration of Red Hat Developer Hub.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-47135"
        },
        {
          "category": "external",
          "summary": "RHBZ#2488396",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488396"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-47135",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47135"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47135",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47135"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/commit/928aef51898b5c52a05f05a40c4cfeb52e172878",
          "url": "https://github.com/patriksimek/vm2/commit/928aef51898b5c52a05f05a40c4cfeb52e172878"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
          "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp",
          "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp"
        }
      ],
      "release_date": "2026-06-12T14:14:42.022000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "vm2: vm2: Sandbox escape allows arbitrary code execution on the host system"
    },
    {
      "cve": "CVE-2026-47137",
      "cwe": {
        "id": "CWE-480",
        "name": "Use of Incorrect Operator"
      },
      "discovery_date": "2026-06-12T15:01:24.611905+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2488385"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. A remote attacker could bypass a security check designed to prevent the combination of nested environments and disabled module loading. This bypass occurs because a strict equality check for the `require` option can be circumvented by simply omitting the option, leading to an unintended configuration. Successful exploitation of this vulnerability could allow an attacker to escape the sandbox and achieve arbitrary code execution on the host system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "vm2: vm2: Sandbox escape leading to arbitrary code execution via security bypass",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The Red Hat Product Security team has rated the impact of this vulnerability as Moderate in Red Hat Developer Hub and Ansible Automation Platform.The affected package is present in both products as a transitive dependency; however, the vulnerable sandbox functionality is not invoked in any production code path. The active sandboxing mechanism used by both products does not rely on this package, and user-supplied input cannot reach the vulnerable code under a standard deployment. Exploitation would require an attacker to independently route arbitrary JavaScript into the sandbox runtime, a condition not present in the default configuration of either product.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-47137"
        },
        {
          "category": "external",
          "summary": "RHBZ#2488385",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488385"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-47137",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47137"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47137",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47137"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-g644-9gfx-q4q4",
          "url": "https://github.com/advisories/GHSA-g644-9gfx-q4q4"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568",
          "url": "https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7",
          "url": "https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
          "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr",
          "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr"
        }
      ],
      "release_date": "2026-06-12T14:15:34.795000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "vm2: vm2: Sandbox escape leading to arbitrary code execution via security bypass"
    },
    {
      "cve": "CVE-2026-47139",
      "cwe": {
        "id": "CWE-1100",
        "name": "Insufficient Isolation of System-Dependent Functions"
      },
      "discovery_date": "2026-06-12T15:01:31.104545+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2488387"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in vm2, a Node.js sandbox. This vulnerability allows sandboxed code to bypass network restrictions by utilizing internal HTTP built-ins, such as _http_client and _http_server. An attacker can exploit this to make outbound HTTP requests or open listening HTTP sockets, even when public network modules are explicitly denied. This could lead to unauthorized information disclosure or further compromise of the system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "vm2: vm2: Sandbox escape via internal HTTP built-ins leading to network restriction bypass",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability has been rated as Moderate for Red Hat Developer Hub and Red Hat Ansible Automation Platform. The vm2 sandbox exists as a transitive dependency in Red Hat Developer Hub and is only utilized during build time. The sandbox is therefore not exposed on the production code path. Exploitation of this vulnerability requires attackers to access internal HTTP built-ins which is not possible in the default configuration of Red Hat Developer Hub.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-47139"
        },
        {
          "category": "external",
          "summary": "RHBZ#2488387",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488387"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-47139",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47139"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47139",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47139"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/commit/436053e30eecbabd487e2fd2959c137ac34e2bb1",
          "url": "https://github.com/patriksimek/vm2/commit/436053e30eecbabd487e2fd2959c137ac34e2bb1"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
          "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-r9pm-gxmw-wv6p",
          "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-r9pm-gxmw-wv6p"
        }
      ],
      "release_date": "2026-06-12T14:15:44.652000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "vm2: vm2: Sandbox escape via internal HTTP built-ins leading to network restriction bypass"
    },
    {
      "cve": "CVE-2026-47140",
      "cwe": {
        "id": "CWE-184",
        "name": "Incomplete List of Disallowed Inputs"
      },
      "discovery_date": "2026-06-12T15:01:11.705175+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2488381"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows sandboxed code to bypass intended security restrictions by exploiting missing entries in the denylist for dangerous Node.js built-in functions, specifically `process` and `inspector/promises`. A remote attacker can leverage this to execute arbitrary code in the host process, leading to a complete compromise of the system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "vm2: vm2: Arbitrary code execution due to incomplete sandbox restrictions",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The Red Hat Product Security team has rated the impact of this vulnerability as Moderate in Red Hat Developer Hub and Ansible Automation Platform.The affected package is present in both products as a transitive dependency; however, the vulnerable sandbox functionality is not invoked in any production code path. The active sandboxing mechanism used by both products does not rely on this package, and user-supplied input cannot reach the vulnerable code under a standard deployment. Exploitation would require an attacker to independently route arbitrary JavaScript into the sandbox runtime, a condition not present in the default configuration of either product.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-47140"
        },
        {
          "category": "external",
          "summary": "RHBZ#2488381",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488381"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-47140",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47140"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47140",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47140"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b",
          "url": "https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
          "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4",
          "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4"
        }
      ],
      "release_date": "2026-06-12T14:16:10.727000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "vm2: vm2: Arbitrary code execution due to incomplete sandbox restrictions"
    },
    {
      "cve": "CVE-2026-47141",
      "cwe": {
        "id": "CWE-653",
        "name": "Improper Isolation or Compartmentalization"
      },
      "discovery_date": "2026-06-12T15:01:05.444374+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2488379"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. Prior to version 3.11.4, NodeVM, a component of vm2, improperly exposed certain process-wide observability builtins, such as diagnostics_channel, async_hooks, and perf_hooks. These builtins, which are designed for monitoring and debugging, were not adequately blocked by the dangerous builtin denylist. This oversight allowed sandboxed code to observe sensitive host application data, leading to information disclosure across the vm2 security boundary.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "vm2: vm2: NodeVM observability builtins leak host process and HTTP request data",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability has been rated as Moderate for Red Hat Developer Hub and Red Hat Ansible Automation Platform. The vm2 sandbox exists as a transitive dependency in Red Hat Developer Hub and is only utilized during build time. The sandbox is therefore not exposed on the production code path. Exploitation of this vulnerability requires attackers to access process-wide observability builtins which is not possible in the default configuration of Red Hat Developer Hub.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-47141"
        },
        {
          "category": "external",
          "summary": "RHBZ#2488379",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488379"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-47141",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47141"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47141",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47141"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb",
          "url": "https://github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
          "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f",
          "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f"
        }
      ],
      "release_date": "2026-06-12T14:17:35.970000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "vm2: vm2: NodeVM observability builtins leak host process and HTTP request data"
    },
    {
      "cve": "CVE-2026-47208",
      "discovery_date": "2026-06-12T15:01:14.630546+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2488382"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows an attacker to escape the sandbox environment by writing malicious code. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and confidentiality of the system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "vm2: vm2: Sandbox Breakout Using Promise Species",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Exploitation requires an attacker to supply untrusted malicious code to the vm2 sandbox, which is easily achieved since the component\u0027s main purpose is to execute untrusted code.\n\nEscaping the sandbox completely bypasses the intended security boundaries, leading directly to arbitrary code execution on the host system and a full compromise of confidentiality and integrity",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-47208"
        },
        {
          "category": "external",
          "summary": "RHBZ#2488382",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488382"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-47208",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47208"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47208",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47208"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/commit/a462655009669c3124ee39498121651597529ea8",
          "url": "https://github.com/patriksimek/vm2/commit/a462655009669c3124ee39498121651597529ea8"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
          "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-76w7-j9cq-rx2j",
          "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-76w7-j9cq-rx2j"
        }
      ],
      "release_date": "2026-06-12T14:16:22.726000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "vm2: vm2: Sandbox Breakout Using Promise Species"
    },
    {
      "cve": "CVE-2026-47209",
      "cwe": {
        "id": "CWE-915",
        "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
      },
      "discovery_date": "2026-06-12T15:02:05.339635+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2488397"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in vm2, an open-source virtual machine (VM) sandbox for Node.js. This vulnerability allows an attacker to bypass security restrictions by writing dangerous cross-realm Symbol keys to host objects. This can lead to a compromise of the integrity of the host system, potentially enabling arbitrary code execution within the Node.js environment. The issue stems from the BaseHandler.set trap in bridge.js, which incorrectly writes to the host target object even when inherited property assignments should create an own property on the receiver.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "vm2: vm2: Integrity bypass via incorrect property assignment leading to potential arbitrary code execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability has been rated as Moderate for Red Hat Developer Hub and Red Hat Ansible Automation Platform. The vm2 sandbox exists as a transitive dependency in Red Hat Developer Hub and is only utilized during build time. The sandbox is therefore not exposed on the production code path. Exploitation of this vulnerability requires attackers to write cross-realm symbol keys to host objects which is not possible in the default configuration of Red Hat Developer Hub.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-47209"
        },
        {
          "category": "external",
          "summary": "RHBZ#2488397",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488397"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-47209",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47209"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47209",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47209"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/commit/26d0318b5e6555be4b187ba05d6cf378ccecfe22",
          "url": "https://github.com/patriksimek/vm2/commit/26d0318b5e6555be4b187ba05d6cf378ccecfe22"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4",
          "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
        },
        {
          "category": "external",
          "summary": "https://github.com/patriksimek/vm2/security/advisories/GHSA-c4cf-2hgv-2qv6",
          "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-c4cf-2hgv-2qv6"
        }
      ],
      "release_date": "2026-06-12T14:14:06.455000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "vm2: vm2: Integrity bypass via incorrect property assignment leading to potential arbitrary code execution"
    },
    {
      "cve": "CVE-2026-48779",
      "cwe": {
        "id": "CWE-1050",
        "name": "Excessive Platform Resource Consumption within a Loop"
      },
      "discovery_date": "2026-06-16T22:01:24.571224+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2489661"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in ws, an open source WebSocket client and server. A remote attacker can exploit this memory exhaustion vulnerability by sending a high volume of exceptionally small fragments and data chunks. This action forces the affected component to allocate and hold structural wrappers that consume excessive memory. Consequently, this leads to process termination and a denial of service (DoS) for the remote peer.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
        ],
        "known_not_affected": [
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
          "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-48779"
        },
        {
          "category": "external",
          "summary": "RHBZ#2489661",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489661"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-48779",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48779"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48779"
        },
        {
          "category": "external",
          "summary": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7",
          "url": "https://github.com/websockets/ws/commit/86d3e8a5fb0246ed373860c5fbb0de88824a27f7"
        },
        {
          "category": "external",
          "summary": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53",
          "url": "https://github.com/websockets/ws/commit/b5372ac67bb97a773727b8e9f5035a8123556d53"
        },
        {
          "category": "external",
          "summary": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94",
          "url": "https://github.com/websockets/ws/commit/bca91adf15677e47dbe4f959653452727be28b94"
        },
        {
          "category": "external",
          "summary": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8",
          "url": "https://github.com/websockets/ws/commit/fd36cd864fcdf62a08273a99e19a7d975401fee8"
        },
        {
          "category": "external",
          "summary": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p",
          "url": "https://github.com/websockets/ws/security/advisories/GHSA-96hv-2xvq-fx4p"
        }
      ],
      "release_date": "2026-06-16T21:26:22.537000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-30T15:00:33+00:00",
          "details": "For more about Red Hat Developer Hub, see References links",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:33574"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:044d2d72c21329826c144d9b55c381576a421188139de0fed693e74997665d2c_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:66fb23e8dbced7bb187928fb38562ae9e2649265d56f745044dd5e79b4209893_amd64",
            "Red Hat Developer Hub 1.9:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:219babfcc89ae903edf35022aae79ba1d1b326386978db8ff267e24e50f9a785_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.