Rhelai3 Bootc-Rocm-Rhel9 vulnerabilities

CVE-2026-7141 [MEDIUM] CWE-908 vllm: vllm: Uninitialized resource in KV Block Handler via has_mamba_layers function vllm: vllm: Uninitialized resource in KV Block Handler via has_mamba_layers function A flaw was found in vllm. A remote attacker can exploit a vulnerability in the `has_mamba_layers` function within the KV Block Handler component. By performing a specific manipulation, an uninitialized resource can be triggered, potentially leading to information disclosure or denial of service. T

CVE-2026-42035 [HIGH] CWE-915 axios: Axios: Arbitrary HTTP header injection via prototype pollution axios: Axios: Arbitrary HTTP header injection via prototype pollution A flaw was found in Axios, a software library for making network requests. A remote attacker can exploit a prototype pollution vulnerability to inject arbitrary HTTP headers into outgoing requests. This occurs when the application's core object definitions are manipulated, causing Axios to misinterpret data and include attacker

CVE-2026-42037 [MEDIUM] CWE-93 axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header axios: Node.js: Axios: Information disclosure via CRLF injection in multipart Content-Type header A flaw was found in Axios, an HTTP client for Node.js. A remote attacker, by controlling the type property of a file-like object, could inject arbitrary MIME part headers into multipart form data. This vulnerability arises from insufficient sanitization of carriage return

CVE-2026-42038 [MEDIUM] CWE-1220 axios: Axios: Information disclosure due to `no_proxy` bypass axios: Axios: Information disclosure due to `no_proxy` bypass A flaw was found in Axios, a software library used for making web requests. This vulnerability allows an attacker to bypass the `no_proxy` configuration, which is designed to prevent certain internal network requests from being sent through an external proxy. Specifically, when `no_proxy=localhost` is set, requests intended for local system

CVE-2026-42042 [MEDIUM] CWE-1025 axios: Axios: XSRF token bypass leading to information disclosure axios: Axios: XSRF token bypass leading to information disclosure A flaw was found in Axios, a promise-based HTTP client. A remote attacker can exploit this vulnerability by manipulating the `withXSRFToken` configuration property to a truthy non-boolean value. This bypasses the same-origin check, causing Cross-Site Request Forgery (XSRF) tokens to be sent to attacker-controlled cross-origin server

CVE-2026-41305 [MEDIUM] CWE-79 postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags A flaw was found in PostCSS. This vulnerability allows a remote attacker to perform Cross-Site Scripting (XSS) by submitting specially crafted CSS. When PostCSS processes and re-stringifies this CSS for embedding within HTML `` tags, it fails to properly escape `` sequences. This oversight

CVE-2026-41488 [LOW] CWE-367 langchain-openai: Langchain-openai: Server-Side Request Forgery (SSRF) protection bypass via DNS rebinding langchain-openai: Langchain-openai: Server-Side Request Forgery (SSRF) protection bypass via DNS rebinding A flaw was found in langchain-openai. A remote attacker could exploit a Time-of-Check to Time-of-Use (TOCTOU) vulnerability, also known as a DNS rebinding vulnerability. This occurs because the _url_to_size() helper, used for image token counting, validate

CVE-2026-41988 [LOW] CWE-787 uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions A flaw was found in uuid. When external output buffers are used with UUID versions 3, 5, or 6, an attacker with local access may be able to cause unexpected data writes. This vulnerability could lead to low impact data integrity issues. UUID version 4 is not affected. Pack

CVE-2026-41314 [MEDIUM] CWE-770 pypdf: python: pypdf: Denial of Service via crafted PDF with large image sizes pypdf: python: pypdf: Denial of Service via crafted PDF with large image sizes A flaw was found in pypdf, a pure-Python PDF library. An attacker can exploit this vulnerability by crafting a malicious PDF file that accesses an image using `/FlateDecode` with large size values. This can lead to memory exhaustion, resulting in a Denial of Service (DoS) for the system processing the PDF.

CVE-2026-41168 [MEDIUM] CWE-1284 pypdf: pypdf: Denial of Service via crafted PDF with oversized streams pypdf: pypdf: Denial of Service via crafted PDF with oversized streams A flaw was found in pypdf. An attacker can craft a malicious PDF file containing oversized cross-reference streams or object streams. Processing such a file can lead to excessively long runtimes, resulting in a Denial of Service (DoS) for applications using the pypdf library. Mitigation: Mitigation for this issue is eithe

CVE-2026-41312 [MEDIUM] CWE-770 pypdf: pypdf: Denial of Service due to excessive memory consumption via specially crafted PDF pypdf: pypdf: Denial of Service due to excessive memory consumption via specially crafted PDF A flaw was found in pypdf. An attacker can craft a malicious PDF file containing a specially compressed stream. When this file is processed, it can lead to excessive memory consumption (RAM exhaustion), resulting in a Denial of Service (DoS) for the affected system. Mitigation:

CVE-2026-41313 [MEDIUM] CWE-1284 pypdf: pypdf: Denial of Service via crafted PDF with large trailer /Size value pypdf: pypdf: Denial of Service via crafted PDF with large trailer /Size value A flaw was found in pypdf. An attacker can craft a malicious PDF file with a large trailer `/Size` value. When this PDF is loaded in incremental mode, it can lead to excessively long processing times, resulting in a Denial of Service (DoS) for the application or system processing the file. Mitigation: Miti

CVE-2026-6019 [LOW] CWE-79 python: Python: Cross-Site Scripting (XSS) vulnerability in http.cookies module python: Python: Cross-Site Scripting (XSS) vulnerability in http.cookies module A flaw was found in Python's `http.cookies` module. The `Morsel.js_output()` function, responsible for generating JavaScript output for cookies, does not properly neutralize the `` HTML sequence. This oversight could allow a remote attacker to inject malicious script into a web page, potentially leading to Cros

CVE-2026-40895 [MEDIUM] CWE-212 follow-redirects: follow-redirects: Information disclosure via cross-domain redirects follow-redirects: follow-redirects: Information disclosure via cross-domain redirects A flaw was found in follow-redirects. When an HTTP request follows a cross-domain redirect (a redirection to a different domain), custom authentication headers, such as X-API-Key or X-Auth-Token, are not properly stripped. This allows these sensitive headers to be forwarded verbatim to the redi

CVE-2026-3219 [MEDIUM] CWE-1287 pip: pip: Incorrect file installation due to improper archive handling pip: pip: Incorrect file installation due to improper archive handling A flaw was found in pip. This vulnerability occurs because pip incorrectly processes concatenated tar and ZIP files as ZIP files, regardless of their true format. This improper handling can lead to confusing installation behavior, potentially causing the installation of unintended or 'incorrect' files. This could allow an a

CVE-2026-28684 [MEDIUM] CWE-59 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following A flaw was found in python-dotenv. A local attacker can exploit this by crafting a symbolic link, which the `set_key()` and `unset_key()` functions in python-dotenv follow when rewriting `.env` files. This can lead to the overwriting of arbitrary files on the system. Mitigation: Mitigation for this i

CVE-2026-41242 [CRITICAL] CWE-94 protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields A flaw was found in protobufjs, a JavaScript (JS) library used for compiling protobuf definitions. A remote attacker with low privileges can exploit this vulnerability by injecting arbitrary code into the "type" fields of protobuf definitions. This malicious code will then exec

CVE-2026-40347 [MEDIUM] CWE-1050 python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to

CVE-2026-6859 [HIGH] CWE-829 instructlab: InstructLab: Arbitrary code execution due to hardcoded `trust_remote_code=True` instructlab: InstructLab: Arbitrary code execution due to hardcoded `trust_remote_code=True` A flaw was found in InstructLab. The `linux_train.py` script hardcodes `trust_remote_code=True` when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run `ilab train/download/generate` with a specially c

CVE-2026-6855 [HIGH] CWE-22 instructlab: InstructLab: Path traversal allows arbitrary directory creation and file write instructlab: InstructLab: Path traversal allows arbitrary directory creation and file write A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the `logs_dir` parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leadi