Quay Quay-Rhel8 vulnerabilities

CVE-2026-6993 [MEDIUM] CWE-444 net/http: golang: github.com/go-kratos/kratos: go-kratos kratos: Information disclosure via unintended HTTP server intermediary net/http: golang: github.com/go-kratos/kratos: go-kratos kratos: Information disclosure via unintended HTTP server intermediary A flaw was found in go-kratos kratos. A remote attacker could exploit a vulnerability in the HTTP server's `NewServer` function, specifically within the `http.DefaultServeMux Fallback Handler`. This manipulation

CVE-2026-41066 [HIGH] CWE-611 lxml: python: lxml: Information disclosure via untrusted XML input leading to local file read lxml: python: lxml: Information disclosure via untrusted XML input leading to local file read A flaw was found in lxml, a library for processing XML and HTML in Python. A remote attacker can exploit this vulnerability by sending untrusted XML input to an application using lxml's default parser configuration. This allows the attacker to read local files on the system, leadi

CVE-2026-42035 [HIGH] CWE-915 axios: Axios: Arbitrary HTTP header injection via prototype pollution axios: Axios: Arbitrary HTTP header injection via prototype pollution A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to misinterpret data and include attacker

CVE-2026-42037 [MEDIUM] CWE-93 axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header A flaw was found in Axios, an HTTP client for Node.js. A remote attacker, by controlling the type property of a file-like object, could inject arbitrary MIME part headers into multipart form data. This vulnerability arises from insufficient sanitization of carriage return

CVE-2026-42038 [MEDIUM] CWE-1220 axios: Axios: Information disclosure due to `no_proxy` bypass axios: Axios: Information disclosure due to `no_proxy` bypass A flaw was found in Axios, a software library used for making web requests. This vulnerability allows an attacker to bypass the `no_proxy` configuration, which is designed to prevent certain internal network requests from being sent through an external proxy. Specifically, when `no_proxy=localhost` is set, requests intended for local system

CVE-2026-32952 [MEDIUM] CWE-190 go-ntlmssp: go-ntlmssp: Denial of Service via malicious NTLM challenge go-ntlmssp: go-ntlmssp: Denial of Service via malicious NTLM challenge A flaw was found in the `go-ntlmssp` package. A remote attacker could exploit this vulnerability by sending a specially crafted NTLM (NT LAN Manager) challenge message. This malicious message can trigger a slice out of bounds panic, leading to a Denial of Service (DoS) by crashing any Go process that utilizes `ntlmssp.Negot

CVE-2026-42042 [MEDIUM] CWE-1025 axios: Axios: XSRF token bypass leading to information disclosure axios: Axios: XSRF token bypass leading to information disclosure A flaw was found in Axios, a promise-based HTTP client. A remote attacker can exploit this vulnerability by manipulating the `withXSRFToken` configuration property to a truthy non-boolean value. This bypasses the same-origin check, causing Cross-Site Request Forgery (XSRF) tokens to be sent to attacker-controlled cross-origin server

CVE-2026-41305 [MEDIUM] CWE-79 postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags A flaw was found in PostCSS. This vulnerability allows a remote attacker to perform Cross-Site Scripting (XSS) by submitting specially crafted CSS. When PostCSS processes and re-stringifies this CSS for embedding within HTML `` tags, it fails to properly escape `` sequences. This oversight

CVE-2026-41205 [HIGH] CWE-22 mako: python: Mako: Information disclosure via path traversal vulnerability mako: python: Mako: Information disclosure via path traversal vulnerability A flaw was found in Mako, a Python template library. This vulnerability, known as path traversal, allows an attacker to access files outside of the intended directory. By providing a specially crafted input to the TemplateLookup.get_template() function, a remote attacker can exploit an inconsistency in how the system

CVE-2026-41988 [LOW] CWE-787 uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions A flaw was found in uuid. When external output buffers are used with UUID versions 3, 5, or 6, an attacker with local access may be able to cause unexpected data writes. This vulnerability could lead to low impact data integrity issues. UUID version 4 is not affected. Pack

CVE-2026-41314 [MEDIUM] CWE-770 pypdf: python: pypdf: Denial of Service via crafted PDF with large image sizes pypdf: python: pypdf: Denial of Service via crafted PDF with large image sizes A flaw was found in pypdf, a pure-Python PDF library. An attacker can exploit this vulnerability by crafting a malicious PDF file that accesses an image using `/FlateDecode` with large size values. This can lead to memory exhaustion, resulting in a Denial of Service (DoS) for the system processing the PDF.

CVE-2026-41168 [MEDIUM] CWE-1284 pypdf: pypdf: Denial of Service via crafted PDF with oversized streams pypdf: pypdf: Denial of Service via crafted PDF with oversized streams A flaw was found in pypdf. An attacker can craft a malicious PDF file containing oversized cross-reference streams or object streams. Processing such a file can lead to excessively long runtimes, resulting in a Denial of Service (DoS) for applications using the pypdf library. Mitigation: Mitigation for this issue is eithe

CVE-2026-41312 [MEDIUM] CWE-770 pypdf: pypdf: Denial of Service due to excessive memory consumption via specially crafted PDF pypdf: pypdf: Denial of Service due to excessive memory consumption via specially crafted PDF A flaw was found in pypdf. An attacker can craft a malicious PDF file containing a specially compressed stream. When this file is processed, it can lead to excessive memory consumption (RAM exhaustion), resulting in a Denial of Service (DoS) for the affected system. Mitigation:

CVE-2026-41313 [MEDIUM] CWE-1284 pypdf: pypdf: Denial of Service via crafted PDF with large trailer /Size value pypdf: pypdf: Denial of Service via crafted PDF with large trailer /Size value A flaw was found in pypdf. An attacker can craft a malicious PDF file with a large trailer `/Size` value. When this PDF is loaded in incremental mode, it can lead to excessively long processing times, resulting in a Denial of Service (DoS) for the application or system processing the file. Mitigation: Miti

CVE-2026-40895 [MEDIUM] CWE-212 follow-redirects: follow-redirects: Information disclosure via cross-domain redirects follow-redirects: follow-redirects: Information disclosure via cross-domain redirects A flaw was found in follow-redirects. When an HTTP request follows a cross-domain redirect (a redirection to a different domain), custom authentication headers, such as X-API-Key or X-Auth-Token, are not properly stripped. This allows these sensitive headers to be forwarded verbatim to the redi

CVE-2026-3219 [MEDIUM] CWE-1287 pip: pip: Incorrect file installation due to improper archive handling pip: pip: Incorrect file installation due to improper archive handling A flaw was found in pip. This vulnerability occurs because pip incorrectly processes concatenated tar and ZIP files as ZIP files, regardless of their true format. This improper handling can lead to confusing installation behavior, potentially causing the installation of unintended or 'incorrect' files. This could allow an a

CVE-2026-6848 [MEDIUM] CWE-613 quay: Red Hat Quay: Authentication bypass allows privileged actions without valid credentials quay: Red Hat Quay: Authentication bypass allows privileged actions without valid credentials A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verification for sensitive operations, such as token generation or robot account creation, the re-authentication prompt can be bypassed. This allows a user with a timed-out session, or an attacker with acces

CVE-2026-32280 [HIGH] CWE-770 crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building A flaw was found in the Go standard library packages `crypto/x509` and `crypto/tls`. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncon