RHSA-2026:36820HighCVSS 8.8

Red Hat Security Advisory: Red Hat OpenShift Dev Spaces 3.29.0 Release.

Published
July 8, 2026
Last Modified
July 8, 2026

🔗 CVE IDs covered (31)

📋 Description

CVE-2026-6734 — undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing CVE-2026-9697 — undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy CVE-2026-12151 — undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames CVE-2026-12856 — vscode-java: vscode: Command Injection vulnerability in the JavaDoc hover provider of the vscode-java extension CVE-2026-34986 — github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object CVE-2026-39821 — golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing CVE-2026-39829 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters CVE-2026-42338 — ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input CVE-2026-42578 — netty: io.netty/netty-handler-proxy: Netty: HTTP Header Injection via HttpProxyHandler Disabled Validation CVE-2026-42579 — netty: Netty: High integrity impact due to improper DNS domain name constraint enforcement CVE-2026-42581 — netty: io.netty/netty-codec-http: Netty: HTTP Request Smuggling due to improper handling of conflicting HTTP/1.0 headers CVE-2026-42583 — netty: io.netty/netty-codec-compression: io.netty/netty-codec: Netty: Denial of Service via excessive memory allocation in LZ4FrameDecoder CVE-2026-42584 — netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion CVE-2026-42587 — netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression CVE-2026-44249 — netty-handler: netty-handler: IPv6 subnet rule bypass due to incorrect masking operation CVE-2026-44486 — axios: Axios: Information disclosure of proxy credentials via HTTP redirects CVE-2026-44487 — axios: Axios: Information disclosure of proxy credentials via redirect flows CVE-2026-44488 — axios: Axios: Denial of Service due to unenforced request and response size limits CVE-2026-44492 — axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization CVE-2026-44494 — axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution CVE-2026-44495 — axios: Axios: Information disclosure due to prototype pollution vulnerability CVE-2026-44496 — axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name CVE-2026-44774 — traefik: Traefik: Privilege escalation via Kubernetes Gateway API provider configuration bypass CVE-2026-44893 — netty-codec-haproxy: Netty-codec-haproxy: Denial of Service via malformed HAProxy message CVE-2026-45292 — opentelemetry-java: opentelemetry-api: opentelemetry-extension-trace-propagators: OpenTelemetry Java: Denial of Service due to unbounded memory allocation when parsing oversized baggage CVE-2026-45736 — ws: ws: Uninitialized memory disclosure via websocket.close() with TypedArray CVE-2026-46595 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Authorization bypass due to skipped source-address validation CVE-2026-48043 — netty-codec-http2: netty-codec-http2: Denial of Service due to resource leak CVE-2026-48059 — netty-codec-haproxy: Netty HAProxy PROXY protocol v2 codec: Denial of Service via memory leak from crafted PROXY protocol headers CVE-2026-48779 — ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments CVE-2026-50559 — io.quarkus/quarkus-vertx-http: Quarkus: Authorization bypass in HTTP path-based policies via encoded characters

🔗 References (35)