Threats Tagged 'cve-2026-1287'

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Security Fix(es): * python3.12-django: Django: SQL Injection via crafted column aliases (CVE-2026-1287) * python3.12-django: Django: SQL Injection via RasterField band index parameter (CVE-2026-1207) * python3.12-django: Django: SQL injection via crafted column aliases in QuerySet.order_by() (CVE-2026-1312) * python3.12-django: Django: Denial of Service via crafted HTML inputs (CVE-2026-1285) * python3.12-django: Django: Denial of Service via crafted request with duplicate headers (CVE-2025-14550) * python3.12-markdown: markdown: Denial of Service via malformed HTML-like sequences (CVE-2025-69534) * python3.12-pyOpenSSL: pyOpenSSL: DTLS cookie callback buffer overflow (CVE-2026-27459) * rubygem-activesupport: Active Support: Denial of Service via large scientific notation strings (CVE-2026-33176)

Red Hat OpenShift Dev Spaces 3.26.1 release addresses multiple security vulnerabilities identified by CVEs including CVE-2025-6176 and others. OpenShift Dev Spaces is a cloud developer workspace server and browser-based IDE designed for container-based development within OpenShift. The 3.26 release is based on Eclipse Che 7.113 and supports devfile v2.1 and v2.2 standards, with a recommendation to migrate from v1. This update is intended for OpenShift EUS releases v4.16 and higher.

Red Hat Ansible Automation Platform 2.5 has multiple security vulnerabilities affecting components such as automation-controller, automation-gateway, python3.11 packages (aiohttp, django, protobuf), and receptor. These include privilege escalation, arbitrary code execution, denial of service, SQL injection, cross-site scripting, and memory exhaustion issues. The update to version 2.5 includes fixes for these vulnerabilities and upgrades Python to version 3.12. Users must apply the latest installer version to successfully update and mitigate these issues.

Red Hat Ansible Automation Platform 2.6 has a security advisory addressing multiple vulnerabilities affecting its container release. The platform provides an enterprise framework for IT automation, enabling teams to share and manage automation content. This update addresses a set of 17 CVEs, including CVE-2025-4565 and others, with a high severity rating. The advisory recommends applying the update after ensuring all previous errata are applied. No specific CVSS scores are provided for these vulnerabilities.

See the release notes (link in the references section) for a description of the fixes and enhancements in this particular release.

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue.

MediumVulnerabilityUnited StatesUnited KingdomGermany+8#cve#cve-2026-1287#cwe-89