RHSA-2026:34608HighCVSS 8.7

Red Hat Security Advisory: Streams for Apache Kafka 2.9.4 release and security update

Published
July 2, 2026
Last Modified
July 6, 2026

🔗 CVE IDs covered (34)

📋 Description

CVE-2024-29371 — jose4j: jose4j: Denial of Service via malicious JSON Web Encryption (JWE) token compression CVE-2025-13465 — lodash: prototype pollution in _.unset and _.omit functions CVE-2025-58056 — netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions CVE-2026-1002 — io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files CVE-2026-4800 — lodash: lodash: Arbitrary code execution via untrusted input in template imports CVE-2026-6860 — eclipse-vertx/vert.x: eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name CVE-2026-23864 — react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests CVE-2026-24281 — Apache ZooKeeper: Apache ZooKeeper: Impersonation of servers or clients via reverse DNS spoofing CVE-2026-24308 — Apache ZooKeeper: Apache ZooKeeper: Information disclosure via improper handling of configuration values CVE-2026-27980 — next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage CVE-2026-33870 — io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values CVE-2026-33871 — netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood CVE-2026-34480 — org.apache.logging.log4j/log4j-core: Apache Log4j Core: Invalid XML output causes denial of service in logging CVE-2026-39852 — io.quarkus:quarkus-vertx-http: io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests CVE-2026-41240 — DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization CVE-2026-42044 — axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget CVE-2026-42583 — netty: io.netty/netty-codec-compression: io.netty/netty-codec: Netty: Denial of Service via excessive memory allocation in LZ4FrameDecoder CVE-2026-42587 — netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression CVE-2026-44249 — netty-handler: netty-handler: IPv6 subnet rule bypass due to incorrect masking operation CVE-2026-44573 — next.js: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n CVE-2026-44574 — Next.js: Next.js: Authorization bypass via crafted query parameters CVE-2026-44575 — next.js: Next.js: Unauthorized access to protected content via middleware bypass CVE-2026-44577 — Next.js: Next.js: Denial of Service via Image Optimization API CVE-2026-44578 — Next.js: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests CVE-2026-44579 — next.js: Next.js: Denial of Service via crafted POST requests to server actions CVE-2026-44893 — netty-codec-haproxy: Netty-codec-haproxy: Denial of Service via malformed HAProxy message CVE-2026-45109 — next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack CVE-2026-45416 — netty-handler: Netty: Denial of Service due to eager buffer allocation in TLS handshake CVE-2026-45674 — netty-resolver-dns: Netty: Information disclosure and data manipulation due to improper CNAME record validation CVE-2026-47691 — io.netty/netty-resolver-dns: Netty has Insufficient Bailiwick Validation for NS Records CVE-2026-48043 — netty-codec-http2: netty-codec-http2: Denial of Service due to resource leak CVE-2026-48059 — netty-codec-haproxy: Netty HAProxy PROXY protocol v2 codec: Denial of Service via memory leak from crafted PROXY protocol headers CVE-2026-50010 — netty-handler: Netty: Improper trust manager handling leads to hostname verification bypass CVE-2026-50559 — io.quarkus/quarkus-vertx-http: Quarkus: Authorization bypass in HTTP path-based policies via encoded characters

🔗 References (37)