Rhoai Odh-Workbench-Codeserver-Datascience-Cpu-Py312-Rhel9 vulnerabilities

CVE-2026-41324 [HIGH] CWE-770 basic-ftp: basic-ftp: Denial of Service via unbounded memory growth from malicious directory listings basic-ftp: basic-ftp: Denial of Service via unbounded memory growth from malicious directory listings A flaw was found in basic-ftp, an FTP client for Node.js. A malicious or compromised remote FTP server can exploit this vulnerability by sending an extremely large or never-ending directory listing response. This can cause the client process to consume an unbounded

CVE-2026-32952 [MEDIUM] CWE-190 go-ntlmssp: go-ntlmssp: Denial of Service via malicious NTLM challenge go-ntlmssp: go-ntlmssp: Denial of Service via malicious NTLM challenge A flaw was found in the `go-ntlmssp` package. A remote attacker could exploit this vulnerability by sending a specially crafted NTLM (NT LAN Manager) challenge message. This malicious message can trigger a slice out of bounds panic, leading to a Denial of Service (DoS) by crashing any Go process that utilizes `ntlmssp.Negot

CVE-2026-41988 [LOW] CWE-787 uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions A flaw was found in uuid. When external output buffers are used with UUID versions 3, 5, or 6, an attacker with local access may be able to cause unexpected data writes. This vulnerability could lead to low impact data integrity issues. UUID version 4 is not affected. Pack

CVE-2026-6019 [LOW] CWE-79 python: Python: Cross-Site Scripting (XSS) vulnerability in http.cookies module python: Python: Cross-Site Scripting (XSS) vulnerability in http.cookies module A flaw was found in Python's `http.cookies` module. The `Morsel.js_output()` function, responsible for generating JavaScript output for cookies, does not properly neutralize the `` HTML sequence. This oversight could allow a remote attacker to inject malicious script into a web page, potentially leading to Cros

CVE-2026-40895 [MEDIUM] CWE-212 follow-redirects: follow-redirects: Information disclosure via cross-domain redirects follow-redirects: follow-redirects: Information disclosure via cross-domain redirects A flaw was found in follow-redirects. When an HTTP request follows a cross-domain redirect (a redirection to a different domain), custom authentication headers, such as X-API-Key or X-Auth-Token, are not properly stripped. This allows these sensitive headers to be forwarded verbatim to the redi

CVE-2026-3219 [MEDIUM] CWE-1287 pip: pip: Incorrect file installation due to improper archive handling pip: pip: Incorrect file installation due to improper archive handling A flaw was found in pip. This vulnerability occurs because pip incorrectly processes concatenated tar and ZIP files as ZIP files, regardless of their true format. This improper handling can lead to confusing installation behavior, potentially causing the installation of unintended or 'incorrect' files. This could allow an a

CVE-2026-28684 [MEDIUM] CWE-59 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following A flaw was found in python-dotenv. A local attacker can exploit this by crafting a symbolic link, which the `set_key()` and `unset_key()` functions in python-dotenv follow when rewriting `.env` files. This can lead to the overwriting of arbitrary files on the system. Mitigation: Mitigation for this i

CVE-2026-41242 [CRITICAL] CWE-94 protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields A flaw was found in protobufjs, a JavaScript (JS) library used for compiling protobuf definitions. A remote attacker with low privileges can exploit this vulnerability by injecting arbitrary code into the "type" fields of protobuf definitions. This malicious code will then exec

CVE-2026-31988 [MEDIUM] CWE-193 yauzl: yauzl: Denial of Service vulnerability in zip file processing yauzl: yauzl: Denial of Service vulnerability in zip file processing yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer bound