RHSA-2026:36882HighCVSS 9.1

Red Hat Security Advisory: Red Hat Advanced Cluster Management for Kubernetes v2.14.3 security update

Published
July 8, 2026
Last Modified
July 12, 2026

🔗 CVE IDs covered (40)

📋 Description

CVE-2025-13465 — lodash: prototype pollution in _.unset and _.omit functions CVE-2025-47907 — database/sql: Postgres Scan Race Condition CVE-2025-48431 — Apache Thrift: c_glib: Apache Thrift c_glib: Denial of Service via specially crafted requests CVE-2025-61726 — golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-61728 — golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip CVE-2025-61729 — crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate CVE-2025-62718 — axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization CVE-2026-22029 — @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects CVE-2026-22610 — angular: Angular: Cross-site scripting vulnerability in Template Compiler CVE-2026-25639 — axios: Axios affected by Denial of Service via proto Key in mergeConfig CVE-2026-25681 — golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting CVE-2026-29063 — immutable-js: Immutable.js: Arbitrary code execution via Prototype Pollution CVE-2026-32285 — github.com/buger/jsonparser: github.com/buger/jsonparser: Denial of Service via malformed JSON input CVE-2026-33186 — google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation CVE-2026-33487 — github.com/russellhaering/goxmldsig: goxmlsig: Integrity bypass due to incorrect XML Digital Signature validation via loop variable capture issue CVE-2026-40175 — axios: Axios: Remote Code Execution via Prototype Pollution escalation CVE-2026-40293 — OpenFGA: github.com/openfga/openfga: OpenFGA: Information disclosure of preshared API key via playground endpoint CVE-2026-40895 — follow-redirects: follow-redirects: Information disclosure via cross-domain redirects CVE-2026-41602 — github.com/apache/thrift: Apache Thrift: Integer Overflow in TFramedTransport Go implementation CVE-2026-41603 — Apache Thrift: apache.com/apache/thrift: Apache Thrift: Security Bypass via Improper Certificate Hostname Validation CVE-2026-41604 — Apache Thrift: apache.com/apache/thrift: Apache Thrift: Out-of-bounds Read vulnerability CVE-2026-41605 — Apache Thrift: Apache Thrift: Integer Overflow or Wraparound Vulnerability CVE-2026-41606 — Apache Thrift: Apache Thrift: Denial of Service via uncontrolled recursion CVE-2026-41607 — Apache Thrift: apache.com/apache/thrift: Apache Thrift: Out-of-bounds Read vulnerability CVE-2026-42033 — axios: Axios: HTTP Transport Hijacking via Prototype Pollution CVE-2026-42035 — axios: Axios: Arbitrary HTTP header injection via prototype pollution CVE-2026-42039 — axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data CVE-2026-42041 — axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling CVE-2026-42043 — axios: Axios: NO_PROXY bypass via crafted URL CVE-2026-42044 — axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget CVE-2026-43869 — Apache Thrift: Apache Thrift: Security bypass due to improper certificate validation CVE-2026-43870 — apache-thrift: Apache Thrift: Denial of Service via multiple vulnerabilities CVE-2026-44486 — axios: Axios: Information disclosure of proxy credentials via HTTP redirects CVE-2026-44487 — axios: Axios: Information disclosure of proxy credentials via redirect flows CVE-2026-44488 — axios: Axios: Denial of Service due to unenforced request and response size limits CVE-2026-44492 — axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization CVE-2026-44494 — axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution CVE-2026-44495 — axios: Axios: Information disclosure due to prototype pollution vulnerability CVE-2026-44496 — axios: Axios: Client-side Denial of Service via unescaped regex metacharacters in XSRF cookie name CVE-2026-44990 — sanitize-html: sanitize-html: Stored Cross-Site Scripting via HTML sanitizer bypass

🔗 References (44)