RHSA-2026:34342CriticalCVSS 9.8

Red Hat Security Advisory: Cluster Observability Operator 1.5.0

Published
July 1, 2026
Last Modified
July 6, 2026

🔗 CVE IDs covered (41)

📋 Description

CVE-2020-7753 — nodejs-trim: Regular Expression Denial of Service (ReDoS) in trim function CVE-2021-33623 — nodejs-trim-newlines: ReDoS in .end() method CVE-2024-4068 — braces: fails to limit the number of characters it can handle CVE-2024-45338 — golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html CVE-2024-52011 — launch-editor: vite: launch-editor: Arbitrary command execution via insufficient file argument sanitization CVE-2025-22868 — golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws CVE-2025-22870 — golang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net CVE-2025-22872 — golang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net CVE-2025-47911 — golang.org/x/net/html: Quadratic parsing complexity in golang.org/x/net/html CVE-2025-58190 — golang.org/x/net/html: Infinite parsing loop in golang.org/x/net CVE-2026-1526 — undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression CVE-2026-1528 — undici: undici: Denial of Service via crafted WebSocket frame with large length CVE-2026-2229 — undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter CVE-2026-4800 — lodash: lodash: Arbitrary code execution via untrusted input in template imports CVE-2026-4867 — path-to-regexp: path-to-regexp: Denial of Service via catastrophic backtracking from malformed URL parameters CVE-2026-6321 — fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies CVE-2026-6322 — fast-uri: fast-uri: URI authority bypass due to improper delimiter handling CVE-2026-6734 — undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing CVE-2026-9277 — shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators CVE-2026-9697 — undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy CVE-2026-12143 — form-data: form-data: Form field override via CRLF injection CVE-2026-12151 — undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames CVE-2026-25680 — golang.org/x/net/html: golang.org/x/net/html: Denial of Service due to excessive HTML parsing CVE-2026-25681 — golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting CVE-2026-29063 — immutable-js: Immutable.js: Arbitrary code execution via Prototype Pollution CVE-2026-32141 — flatted: flatted: Unbounded recursion DoS in parse() revive phase CVE-2026-33228 — flatted: Flatted: Prototype pollution vulnerability allows arbitrary code execution via crafted JSON. CVE-2026-33671 — picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns CVE-2026-33814 — net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame CVE-2026-33891 — node-forge: node-forge: Denial of Service via infinite loop in BigInteger.modInverse() CVE-2026-33894 — node-forge: Forge: Signature Forgery via Weak RSASSA PKCS#1 v1.5 Verification CVE-2026-33895 — node-forge: Forge: Authentication bypass via forged Ed25519 cryptographic signatures CVE-2026-33896 — node-forge: Forge (node-forge): Certificate validation bypass allows unauthorized certificate issuance CVE-2026-33937 — handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() CVE-2026-33938 — handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite CVE-2026-33939 — handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation CVE-2026-33940 — handlebars.js: Handlebars.js: Arbitrary code execution via crafted template context CVE-2026-33941 — handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw CVE-2026-39821 — golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing CVE-2026-42506 — golang.org/x/net/html: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing CVE-2026-48779 — ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments

🔗 References (46)