Red Hat Security Advisory: Red Hat Advanced Cluster Management for Kubernetes v2.14.3 security update
🔗 CVE IDs covered (40)
📋 Description
CVE-2025-13465 — lodash: prototype pollution in _.unset and _.omit functions
CVE-2025-47907 — database/sql: Postgres Scan Race Condition
CVE-2025-48431 — Apache Thrift: c_glib: Apache Thrift c_glib: Denial of Service via specially crafted requests
CVE-2025-61726 — golang: net/url: Memory exhaustion in query parameter parsing in net/url
CVE-2025-61728 — golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip
CVE-2025-61729 — crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
CVE-2025-62718 — axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization
CVE-2026-22029 — @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects
CVE-2026-22610 — angular: Angular: Cross-site scripting vulnerability in Template Compiler
CVE-2026-25639 — axios: Axios affected by Denial of Service via proto Key in mergeConfig
CVE-2026-25681 — golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting
CVE-2026-29063 — immutable-js: Immutable.js: Arbitrary code execution via Prototype Pollution
CVE-2026-32285 — github.com/buger/jsonparser: github.com/buger/jsonparser: Denial of Service via malformed JSON input
CVE-2026-33186 — google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
CVE-2026-33487 — github.com/russellhaering/goxmldsig: goxmlsig: Integrity bypass due to incorrect XML Digital Signature validation via loop variable capture issue
CVE-2026-40175 — axios: Axios: Remote Code Execution via Prototype Pollution escalation
CVE-2026-40293 — OpenFGA: github.com/openfga/openfga: OpenFGA: Information disclosure of preshared API key via playground endpoint
CVE-2026-40895 — follow-redirects: follow-redirects: Information disclosure via cross-domain redirects
CVE-2026-41602 — github.com/apache/thrift: Apache Thrift: Integer Overflow in TFramedTransport Go implementation
CVE-2026-41603 — Apache Thrift: apache.com/apache/thrift: Apache Thrift: Security Bypass via Improper Certificate Hostname Validation
CVE-2026-41604 — Apache Thrift: apache.com/apache/thrift: Apache Thrift: Out-of-bounds Read vulnerability
CVE-2026-41605 — Apache Thrift: Apache Thrift: Integer Overflow or Wraparound Vulnerability
CVE-2026-41606 — Apache Thrift: Apache Thrift: Denial of Service via uncontrolled recursion
CVE-2026-41607 — Apache Thrift: apache.com/apache/thrift: Apache Thrift: Out-of-bounds Read vulnerability
CVE-2026-42033 — axios: Axios: HTTP Transport Hijacking via Prototype Pollution
CVE-2026-42035 — axios: Axios: Arbitrary HTTP header injection via prototype pollution
CVE-2026-42039 — axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data
CVE-2026-42041 — axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling
CVE-2026-42043 — axios: Axios: NO_PROXY bypass via crafted URL
CVE-2026-42044 — axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget
CVE-2026-43869 — Apache Thrift: Apache Thrift: Security bypass due to improper certificate validation
CVE-2026-43870 — apache-thrift: Apache Thrift: Denial of Service via multiple vulnerabilities
CVE-2026-44486 — axios: Axios: Information disclosure of proxy credentials via HTTP redirects
CVE-2026-44487 — axios: Axios: Information disclosure of proxy credentials via redirect flows
CVE-2026-44488 — axios: Axios: Denial of Service due to unenforced request and response size limits
CVE-2026-44492 — axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization
CVE-2026-44494 — axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution
CVE-2026-44495 — axios: Axios: Information disclosure due to prototype pollution vulnerability
CVE-2026-44496 — axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name
CVE-2026-44990 — sanitize-html: sanitize-html: Stored Cross-Site Scripting via HTML sanitizer bypass
🔗 References (44)
- selfhttps://access.redhat.com/errata/RHSA-2026:36882
- externalhttps://access.redhat.com/security/cve/CVE-2025-13465
- externalhttps://access.redhat.com/security/cve/CVE-2025-47907
- externalhttps://access.redhat.com/security/cve/CVE-2025-48431
- externalhttps://access.redhat.com/security/cve/CVE-2025-61726
- externalhttps://access.redhat.com/security/cve/CVE-2025-61728
- externalhttps://access.redhat.com/security/cve/CVE-2025-61729
- externalhttps://access.redhat.com/security/cve/CVE-2025-62718
- externalhttps://access.redhat.com/security/cve/CVE-2026-22029
- externalhttps://access.redhat.com/security/cve/CVE-2026-22610
- externalhttps://access.redhat.com/security/cve/CVE-2026-25639
- externalhttps://access.redhat.com/security/cve/CVE-2026-25681
- externalhttps://access.redhat.com/security/cve/CVE-2026-29063
- externalhttps://access.redhat.com/security/cve/CVE-2026-32285
- externalhttps://access.redhat.com/security/cve/CVE-2026-33186
- externalhttps://access.redhat.com/security/cve/CVE-2026-33487
- externalhttps://access.redhat.com/security/cve/CVE-2026-40175
- externalhttps://access.redhat.com/security/cve/CVE-2026-40293
- externalhttps://access.redhat.com/security/cve/CVE-2026-40895
- externalhttps://access.redhat.com/security/cve/CVE-2026-41602
- externalhttps://access.redhat.com/security/cve/CVE-2026-41603
- externalhttps://access.redhat.com/security/cve/CVE-2026-41604
- externalhttps://access.redhat.com/security/cve/CVE-2026-41605
- externalhttps://access.redhat.com/security/cve/CVE-2026-41606
- externalhttps://access.redhat.com/security/cve/CVE-2026-41607
- externalhttps://access.redhat.com/security/cve/CVE-2026-42033
- externalhttps://access.redhat.com/security/cve/CVE-2026-42035
- externalhttps://access.redhat.com/security/cve/CVE-2026-42039
- externalhttps://access.redhat.com/security/cve/CVE-2026-42041
- externalhttps://access.redhat.com/security/cve/CVE-2026-42043
- externalhttps://access.redhat.com/security/cve/CVE-2026-42044
- externalhttps://access.redhat.com/security/cve/CVE-2026-43869
- externalhttps://access.redhat.com/security/cve/CVE-2026-43870
- externalhttps://access.redhat.com/security/cve/CVE-2026-44486
- externalhttps://access.redhat.com/security/cve/CVE-2026-44487
- externalhttps://access.redhat.com/security/cve/CVE-2026-44488
- externalhttps://access.redhat.com/security/cve/CVE-2026-44492
- externalhttps://access.redhat.com/security/cve/CVE-2026-44494
- externalhttps://access.redhat.com/security/cve/CVE-2026-44495
- externalhttps://access.redhat.com/security/cve/CVE-2026-44496
- externalhttps://access.redhat.com/security/cve/CVE-2026-44990
- externalhttps://access.redhat.com/security/updates/classification/
- externalhttps://access.redhat.com/security/updates/classification/#important
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_36882.json