Export limit exceeded: 19503 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 23442 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (23442 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-45290 | 1 Redhat | 20 Advanced Cluster Security, Ansible Automation Platform, Ceph Storage and 17 more | 2026-04-15 | 6.5 Medium |
| When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. | ||||
| CVE-2025-24495 | 1 Redhat | 6 Enterprise Linux, Rhel Aus, Rhel E4s and 3 more | 2026-04-15 | 5.6 Medium |
| Incorrect initialization of resource in the branch prediction unit for some Intel(R) Core™ Ultra Processors may allow an authenticated user to potentially enable information disclosure via local access. | ||||
| CVE-2025-6547 | 2 Browserify, Redhat | 2 Pbkdf2, Service Mesh | 2026-04-15 | 8.1 High |
| Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2. | ||||
| CVE-2025-48387 | 1 Redhat | 1 Rhdh | 2026-04-15 | 7.3 High |
| tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories. | ||||
| CVE-2025-2877 | 1 Redhat | 2 Ansible Automation Platform, Ansible Automation Platform Developer | 2026-04-15 | 6.5 Medium |
| A flaw was found in the Ansible Automation Platform's Event-Driven Ansible. In configurations where verbosity is set to "debug", inventory passwords are exposed in plain text when starting a rulebook activation. This issue exists for any "debug" action in a rulebook and also affects Event Streams. | ||||
| CVE-2025-25208 | 1 Redhat | 1 Connectivity Link | 2026-04-15 | 5.7 Medium |
| A Developer persona can bring down the Authorino service, preventing the evaluation of all AuthPolicies on the cluster | ||||
| CVE-2025-1247 | 1 Redhat | 2 Camel Quarkus, Quarkus | 2026-04-15 | 8.3 High |
| A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information. | ||||
| CVE-2025-1244 | 1 Redhat | 7 Enterprise Linux, Openshift Builds, Rhel Aus and 4 more | 2026-04-15 | 8.8 High |
| A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect. | ||||
| CVE-2025-14876 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-04-15 | 5.5 Medium |
| A flaw was found in the virtio-crypto device of QEMU. A malicious guest operating system can exploit a missing length limit in the AKCIPHER path, leading to uncontrolled memory allocation. This can result in a denial of service (DoS) on the host system by causing the QEMU process to terminate unexpectedly. | ||||
| CVE-2025-6019 | 1 Redhat | 6 Enterprise Linux, Rhel Aus, Rhel E4s and 3 more | 2026-04-15 | 7 High |
| A Local Privilege Escalation (LPE) vulnerability was found in libblockdev. Generally, the "allow_active" setting in Polkit permits a physically present user to take certain actions based on the session type. Due to the way libblockdev interacts with the udisks daemon, an "allow_active" user on a system may be able escalate to full root privileges on the target host. Normally, udisks mounts user-provided filesystem images with security flags like nosuid and nodev to prevent privilege escalation. However, a local attacker can create a specially crafted XFS image containing a SUID-root shell, then trick udisks into resizing it. This mounts their malicious filesystem with root privileges, allowing them to execute their SUID-root shell and gain complete control of the system. | ||||
| CVE-2024-8553 | 1 Redhat | 4 Satellite, Satellite Capsule, Satellite Maintenance and 1 more | 2026-04-15 | 6.3 Medium |
| A vulnerability was found in Foreman's loader macros introduced with report templates. These macros may allow an authenticated user with permissions to view and create templates to read any field from Foreman's database. By using specific strings in the loader macros, users can bypass permissions and access sensitive information. | ||||
| CVE-2024-8088 | 2 Python Software Foundation, Redhat | 2 Cpython, Enterprise Linux | 2026-04-15 | 5.3 Medium |
| There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. | ||||
| CVE-2024-6840 | 1 Redhat | 3 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside | 2026-04-15 | 6.6 Medium |
| An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `automountServiceAccountToken: true`, resulting in privilege escalation to a service account. | ||||
| CVE-2024-8509 | 1 Redhat | 1 Migration Toolkit Virtualization | 2026-04-15 | 7.5 High |
| A vulnerability was found in Forklift Controller. There is no verification against the authorization header except to ensure it uses bearer authentication. Without an Authorization header and some form of a Bearer token, a 401 error occurs. The presence of a token value provides a 200 response with the requested information. | ||||
| CVE-2025-61663 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-04-15 | 4.9 Medium |
| A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability. Impact on the data integrity and confidentiality is also not discarded. | ||||
| CVE-2025-14083 | 1 Redhat | 1 Build Keycloak | 2026-04-15 | 2.7 Low |
| A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. | ||||
| CVE-2024-9779 | 1 Redhat | 1 Acm | 2026-04-15 | 7.5 High |
| A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster. | ||||
| CVE-2024-48916 | 1 Redhat | 1 Ceph Storage | 2026-04-15 | 8.1 High |
| Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published. | ||||
| CVE-2024-1135 | 2 Benoitc, Redhat | 7 Gunicorn, Ansible Automation Platform, Openshift and 4 more | 2026-04-15 | N/A |
| Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure. | ||||
| CVE-2024-45339 | 1 Redhat | 2 Ocp Tools, Openshift Ai | 2026-04-15 | 7.1 High |
| When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists. | ||||