Rhelai3 Bootc-Azure-Cuda-Rhel9 vulnerabilities

CVE-2026-7141 [MEDIUM] CWE-908 vllm: vllm: Uninitialized resource in KV Block Handler via has_mamba_layers function vllm: vllm: Uninitialized resource in KV Block Handler via has_mamba_layers function A flaw was found in vllm. A remote attacker can exploit a vulnerability in the `has_mamba_layers` function within the KV Block Handler component. By performing a specific manipulation, an uninitialized resource can be triggered, potentially leading to information disclosure or denial of service. T

CVE-2026-6019 [LOW] CWE-79 python: Python: Cross-Site Scripting (XSS) vulnerability in http.cookies module python: Python: Cross-Site Scripting (XSS) vulnerability in http.cookies module A flaw was found in Python's `http.cookies` module. The `Morsel.js_output()` function, responsible for generating JavaScript output for cookies, does not properly neutralize the `` HTML sequence. This oversight could allow a remote attacker to inject malicious script into a web page, potentially leading to Cros

CVE-2026-3219 [MEDIUM] CWE-1287 pip: pip: Incorrect file installation due to improper archive handling pip: pip: Incorrect file installation due to improper archive handling A flaw was found in pip. This vulnerability occurs because pip incorrectly processes concatenated tar and ZIP files as ZIP files, regardless of their true format. This improper handling can lead to confusing installation behavior, potentially causing the installation of unintended or 'incorrect' files. This could allow an a

CVE-2026-28684 [MEDIUM] CWE-59 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following A flaw was found in python-dotenv. A local attacker can exploit this by crafting a symbolic link, which the `set_key()` and `unset_key()` functions in python-dotenv follow when rewriting `.env` files. This can lead to the overwriting of arbitrary files on the system. Mitigation: Mitigation for this i

CVE-2026-40347 [MEDIUM] CWE-1050 python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to

CVE-2026-6859 [HIGH] CWE-829 instructlab: InstructLab: Arbitrary code execution due to hardcoded `trust_remote_code=True` instructlab: InstructLab: Arbitrary code execution due to hardcoded `trust_remote_code=True` A flaw was found in InstructLab. The `linux_train.py` script hardcodes `trust_remote_code=True` when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run `ilab train/download/generate` with a specially c

CVE-2026-6855 [HIGH] CWE-22 instructlab: InstructLab: Path traversal allows arbitrary directory creation and file write instructlab: InstructLab: Path traversal allows arbitrary directory creation and file write A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the `logs_dir` parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leadi