Red Hat Security Advisory: Red Hat Quay 3.9.24
🔗 CVE IDs covered (24)
📋 Description
CVE-2026-12143 — form-data: form-data: Form field override via CRLF injection
CVE-2026-13676 — fast-uri: fast-uri: Security policy bypass due to improper Unicode hostname canonicalization
CVE-2026-32591 — mirror-registry: quay: server-side request forgery in proxy cache upstream registry configuration
CVE-2026-39820 — net/mail: golang: Go net/mail: Denial of Service via crafted email inputs
CVE-2026-39821 — golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing
CVE-2026-39828 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions
CVE-2026-39829 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters
CVE-2026-39830 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
CVE-2026-39831 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Security key bypass due to missing user presence check
CVE-2026-39832 — golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions
CVE-2026-39835 — golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate
CVE-2026-42151 — github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API
CVE-2026-42154 — github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint
CVE-2026-42499 — net/mail: golang: net/mail: Denial of Service via pathological email address parsing
CVE-2026-42508 — golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey
CVE-2026-44486 — axios: Axios: Information disclosure of proxy credentials via HTTP redirects
CVE-2026-44487 — axios: Axios: Information disclosure of proxy credentials via redirect flows
CVE-2026-44488 — axios: Axios: Denial of Service due to unenforced request and response size limits
CVE-2026-44492 — axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization
CVE-2026-44494 — axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution
CVE-2026-44495 — axios: Axios: Information disclosure due to prototype pollution vulnerability
CVE-2026-44990 — sanitize-html: sanitize-html: Stored Cross-Site Scripting via HTML sanitizer bypass
CVE-2026-45822 — decode-uri-component: decode-uri-component: Denial of Service via crafted input
CVE-2026-46597 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted AES-GCM packet decoder inputs
🔗 References (27)
- selfhttps://access.redhat.com/errata/RHSA-2026:40262
- externalhttps://access.redhat.com/security/cve/CVE-2026-12143
- externalhttps://access.redhat.com/security/cve/CVE-2026-13676
- externalhttps://access.redhat.com/security/cve/CVE-2026-32591
- externalhttps://access.redhat.com/security/cve/CVE-2026-39820
- externalhttps://access.redhat.com/security/cve/CVE-2026-39821
- externalhttps://access.redhat.com/security/cve/CVE-2026-39828
- externalhttps://access.redhat.com/security/cve/CVE-2026-39829
- externalhttps://access.redhat.com/security/cve/CVE-2026-39830
- externalhttps://access.redhat.com/security/cve/CVE-2026-39831
- externalhttps://access.redhat.com/security/cve/CVE-2026-39832
- externalhttps://access.redhat.com/security/cve/CVE-2026-39835
- externalhttps://access.redhat.com/security/cve/CVE-2026-42151
- externalhttps://access.redhat.com/security/cve/CVE-2026-42154
- externalhttps://access.redhat.com/security/cve/CVE-2026-42499
- externalhttps://access.redhat.com/security/cve/CVE-2026-42508
- externalhttps://access.redhat.com/security/cve/CVE-2026-44486
- externalhttps://access.redhat.com/security/cve/CVE-2026-44487
- externalhttps://access.redhat.com/security/cve/CVE-2026-44488
- externalhttps://access.redhat.com/security/cve/CVE-2026-44492
- externalhttps://access.redhat.com/security/cve/CVE-2026-44494
- externalhttps://access.redhat.com/security/cve/CVE-2026-44495
- externalhttps://access.redhat.com/security/cve/CVE-2026-44990
- externalhttps://access.redhat.com/security/cve/CVE-2026-45822
- externalhttps://access.redhat.com/security/cve/CVE-2026-46597
- externalhttps://access.redhat.com/security/updates/classification/
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_40262.json