What is RHSA-2026:26234?

RHSA-2026:26234 is a security advisory published by Red Hat Product Security with High severity. Red Hat Security Advisory: Red Hat Developer Hub 1.9.5 release.

Which CVE IDs does RHSA-2026:26234 cover?

RHSA-2026:26234 covers the following CVE IDs: CVE-2026-44494, CVE-2026-44495, CVE-2026-6322, CVE-2026-9277, CVE-2026-41673, CVE-2026-41675, CVE-2026-42043, CVE-2026-42044, CVE-2026-44486, CVE-2026-44492, CVE-2026-24781, CVE-2026-32281, CVE-2026-42039, CVE-2026-44293, CVE-2026-44487, CVE-2026-44496, CVE-2026-6321, CVE-2026-41242, CVE-2026-41672, CVE-2026-41674, CVE-2026-42041, CVE-2026-42033, CVE-2026-42035, CVE-2026-44488. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of RHSA-2026:26234?

RHSA-2026:26234 has a CVSS v3 base score of 8.8, published by Red Hat Product Security.

RHSA-2026:26234HighCVSS 8.8

Red Hat Security Advisory: Red Hat Developer Hub 1.9.5 release.

Vendor

Red Hat Product Security

Published

June 16, 2026

Last Modified

June 22, 2026

📋 Description

CVE-2026-6321 — fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies CVE-2026-6322 — fast-uri: fast-uri: URI authority bypass due to improper delimiter handling CVE-2026-9277 — shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators CVE-2026-24781 — vm2: vm2: Arbitrary code execution via sandbox breakout through inspect function CVE-2026-32281 — crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation CVE-2026-41242 — protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields CVE-2026-41672 — xmldom: @xmldom/xmldom: xmldom: Arbitrary XML Node Injection CVE-2026-41673 — @xmldom/xmldom: xmldom: xmldom: Denial of Service via deeply nested XML documents CVE-2026-41674 — xmldom: xmldom: Arbitrary XML markup injection CVE-2026-41675 — xmldom: xmldom: Arbitrary XML node injection via crafted processing instructions CVE-2026-42033 — axios: Axios: HTTP Transport Hijacking via Prototype Pollution CVE-2026-42035 — axios: Axios: Arbitrary HTTP header injection via prototype pollution CVE-2026-42039 — axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data CVE-2026-42041 — axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling CVE-2026-42043 — axios: Axios: NO_PROXY bypass via crafted URL CVE-2026-42044 — axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget CVE-2026-44293 — protobufjs: protobufjs: Arbitrary code execution due to unsafe expression generation from crafted protobuf descriptors CVE-2026-44486 — axios: Axios: Information disclosure of proxy credentials via HTTP redirects CVE-2026-44487 — axios: Axios: Information disclosure of proxy credentials via redirect flows CVE-2026-44488 — axios: Axios: Denial of Service due to unenforced request and response size limits CVE-2026-44492 — axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization CVE-2026-44494 — axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution CVE-2026-44495 — axios: Axios: Information disclosure due to prototype pollution vulnerability CVE-2026-44496 — axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name

Red Hat Security Advisory: Red Hat Developer Hub 1.9.5 release.

🔗 CVE IDs covered (24)

📋 Description

🔗 References (31)