RHSA-2026:40262HighCVSS 8.8

Red Hat Security Advisory: Red Hat Quay 3.9.24

Published
July 15, 2026
Last Modified
July 16, 2026

🔗 CVE IDs covered (24)

📋 Description

CVE-2026-12143 — form-data: form-data: Form field override via CRLF injection CVE-2026-13676 — fast-uri: fast-uri: Security policy bypass due to improper Unicode hostname canonicalization CVE-2026-32591 — mirror-registry: quay: server-side request forgery in proxy cache upstream registry configuration CVE-2026-39820 — net/mail: golang: Go net/mail: Denial of Service via crafted email inputs CVE-2026-39821 — golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via incorrect Punycode label processing CVE-2026-39828 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Unauthorized command execution via discarded SSH permissions CVE-2026-39829 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters CVE-2026-39830 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses CVE-2026-39831 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Security key bypass due to missing user presence check CVE-2026-39832 — golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions CVE-2026-39835 — golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial of Service via crafted SSH certificate CVE-2026-42151 — github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API CVE-2026-42154 — github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint CVE-2026-42499 — net/mail: golang: net/mail: Denial of Service via pathological email address parsing CVE-2026-42508 — golang.org/x/crypto/ssh/knownhosts: golang: golang.org/x/crypto/ssh/knownhosts: Revocation bypass via unchecked SignatureKey CVE-2026-44486 — axios: Axios: Information disclosure of proxy credentials via HTTP redirects CVE-2026-44487 — axios: Axios: Information disclosure of proxy credentials via redirect flows CVE-2026-44488 — axios: Axios: Denial of Service due to unenforced request and response size limits CVE-2026-44492 — axios: Axios: Proxy bypass via IPv4-mapped IPv6 address non-normalization CVE-2026-44494 — axios: Axios: Man-in-the-Middle (MITM) attack via Prototype Pollution CVE-2026-44495 — axios: Axios: Information disclosure due to prototype pollution vulnerability CVE-2026-44990 — sanitize-html: sanitize-html: Stored Cross-Site Scripting via HTML sanitizer bypass CVE-2026-45822 — decode-uri-component: decode-uri-component: Denial of Service via crafted input CVE-2026-46597 — golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted AES-GCM packet decoder inputs

🔗 References (27)