Mta Mta-Solution-Server-Rhel9 vulnerabilities

CVE-2026-7020 [MEDIUM] CWE-22 Ollama: Ollama: Path traversal vulnerability in Tensor Model Transfer Handler Ollama: Ollama: Path traversal vulnerability in Tensor Model Transfer Handler A flaw was found in Ollama, specifically within the Tensor Model Transfer Handler component. A remote attacker can exploit this vulnerability by manipulating the `digest` argument in the `digestToPath` function, leading to a path traversal. This allows unauthorized access to files or directories on the system. T

CVE-2026-41066 [HIGH] CWE-611 lxml: python: lxml: Information disclosure via untrusted XML input leading to local file read lxml: python: lxml: Information disclosure via untrusted XML input leading to local file read A flaw was found in lxml, a library for processing XML and HTML in Python. A remote attacker can exploit this vulnerability by sending untrusted XML input to an application using lxml's default parser configuration. This allows the attacker to read local files on the system, leadi

CVE-2026-41481 [MEDIUM] CWE-918 langchain-text-splitters: LangChain: Information Disclosure via Server-Side Request Forgery (SSRF) Redirect Bypass langchain-text-splitters: LangChain: Information Disclosure via Server-Side Request Forgery (SSRF) Redirect Bypass A flaw was found in LangChain and langchain-text-splitters. This vulnerability, a Server-Side Request Forgery (SSRF) bypass, allows a remote attacker to redirect a seemingly safe URL to internal network resources. By exploiting unvalidat

CVE-2026-41488 [LOW] CWE-367 langchain-openai: Langchain-openai: Server-Side Request Forgery (SSRF) protection bypass via DNS rebinding langchain-openai: Langchain-openai: Server-Side Request Forgery (SSRF) protection bypass via DNS rebinding A flaw was found in langchain-openai. A remote attacker could exploit a Time-of-Check to Time-of-Use (TOCTOU) vulnerability, also known as a DNS rebinding vulnerability. This occurs because the _url_to_size() helper, used for image token counting, validate

CVE-2026-41205 [HIGH] CWE-22 mako: python: Mako: Information disclosure via path traversal vulnerability mako: python: Mako: Information disclosure via path traversal vulnerability A flaw was found in Mako, a Python template library. This vulnerability, known as path traversal, allows an attacker to access files outside of the intended directory. By providing a specially crafted input to the TemplateLookup.get_template() function, a remote attacker can exploit an inconsistency in how the system

CVE-2026-39377 [MEDIUM] CWE-22 nbconvert: nbconvert: Arbitrary file write via crafted Jupyter notebook cell attachment filenames nbconvert: nbconvert: Arbitrary file write via crafted Jupyter notebook cell attachment filenames A flaw was found in nbconvert, a tool used to convert Jupyter notebooks. When processing notebooks containing specially crafted cell attachment filenames, a remote attacker can exploit a path traversal vulnerability. This allows the attacker to write arbitrary files to lo

CVE-2026-39378 [MEDIUM] CWE-22 nbconvert: nbconvert: Sensitive file exfiltration via path traversal in image references nbconvert: nbconvert: Sensitive file exfiltration via path traversal in image references A flaw was found in nbconvert, a tool used to convert Jupyter notebooks. A malicious notebook can exploit this vulnerability when the `HTMLExporter.embed_images` setting is enabled. This allows for path traversal in image references, which can lead to arbitrary file read. Consequently, sen

CVE-2026-28684 [MEDIUM] CWE-59 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following A flaw was found in python-dotenv. A local attacker can exploit this by crafting a symbolic link, which the `set_key()` and `unset_key()` functions in python-dotenv follow when rewriting `.env` files. This can lead to the overwriting of arbitrary files on the system. Mitigation: Mitigation for this i

CVE-2026-40347 [MEDIUM] CWE-1050 python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to