RHSA-2026:40984HighCVSS 9.1

Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.20.15 security, enhancement & bug fix update

Published
July 16, 2026
Last Modified
July 16, 2026

🔗 CVE IDs covered (22)

📋 Description

CVE-2025-12816 — node-forge: node-forge: Interpretation conflict vulnerability allows bypassing cryptographic verifications CVE-2025-13465 — lodash: prototype pollution in _.unset and _.omit functions CVE-2025-15284 — qs: qs: Denial of Service via improper input validation in array parsing CVE-2025-66031 — node-forge: node-forge ASN.1 Unbounded Recursion CVE-2025-68157 — webpack: webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects CVE-2025-68458 — webpack: webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior CVE-2025-69873 — ajv: ReDoS via $data reference CVE-2026-4800 — lodash: lodash: Arbitrary code execution via untrusted input in template imports CVE-2026-22029 — @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects CVE-2026-25128 — fast-xml-parser: fast-xml-parser has RangeError DoS Numeric Entities Bug CVE-2026-25896 — fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling CVE-2026-26278 — fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion CVE-2026-26996 — minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-27904 — minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions CVE-2026-27942 — fast-xml-parser: fast-xml-parser: Stack overflow leads to Denial of Service CVE-2026-29063 — immutable-js: Immutable.js: Arbitrary code execution via Prototype Pollution CVE-2026-33036 — fast-xml-parser: fast-xml-parser: Denial of Service via XML entity expansion bypass CVE-2026-33186 — google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation CVE-2026-33815 — github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability CVE-2026-33816 — github.com/jackc/pgx/v5: github.com/jackc/pgx: Memory-safety vulnerability CVE-2026-34986 — github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object CVE-2026-48779 — ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments

🔗 References (26)