Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.

Threats Tagged 'cve-2026-32281'

View all threats tagged with 'cve-2026-32281'. Filter and sort to focus on specific types of threats.

Pro Console Lifetime

Stop chasing alerts. Route them.

Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.

Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)

View Plans & Pricing

API access activates after upgrading in Console -> Billing.

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now

Filter Threats

Narrow down the results by type, severity, or affected countries

Search threats by title, CVE ID, or description. Maximum 100 characters.
Active filters (1):Tag: cve-2026-32281

Threats Tagged 'cve-2026-32281'

Click on any threat for detailed analysis and mitigation recommendations

Red Hat Security Advisory: Satellite 6.19.2 Async UpdateCVE-2026-5135
0

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Security Fix(es): * candlepin: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects (CVE-2026-27727) * yggdrasil-worker-forwarder: Incorrect parsing of IPv6 host literals in net/url (CVE-2026-25679) * yggdrasil-worker-forwarder: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application (CVE-2026-33810) * yggdrasil-worker-forwarder: Root.Chmod can follow symlinks out of the root (CVE-2026-32282) * yggdrasil-worker-forwarder: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280) * yggdrasil-worker-forwarder: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283) * yggdrasil-worker-forwarder: Go crypto/x509: Denial of Service via inefficient certificate chain validation (CVE-2026-32281) * python-pillow: Pillow: Denial of Service via decompression bomb in FITS image processing (CVE-2026-40192) * python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens (CVE-2026-48526) * foreman: foreman: Cross-tenant private SSH key disclosure via taxonomy scoping bypass (CVE-2026-5142) * foreman: Foreman: Information disclosure via improper validation of nested request parameters (CVE-2026-5138) * foreman: Foreman: Privilege escalation to administrator-level access via usergroup role assignment manipulation (CVE-2026-5136) * foreman: Foreman: Unauthorized modification of host configurations via broken access control (CVE-2026-5135)

Join the discussion
CVE-2026-9277: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in shell-quoteCVE-2026-9277
0

shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: '...\n...' }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`.

Join the discussion
Red Hat Security Advisory: Kiali 2.11.12 for Red Hat OpenShift Service Mesh 3.1CVE-2026-9277
0

Kiali 2.11.12, for Red Hat OpenShift Service Mesh 3.1, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently. Security Fix(es): * CVE-2026-32281 redhat-user-workloads/kiali-3-1: Go crypto/x509: Denial of Service via inefficient certificate chain validation (ossm-13868) * CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13909) * CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13913) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Join the discussion
Red Hat Security Advisory: Kiali 2.17.9 for Red Hat OpenShift Service Mesh 3.2CVE-2026-9277
0

Kiali 2.17.9, for Red Hat OpenShift Service Mesh 3.2, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently. Security Fix(es): * CVE-2026-32281 redhat-user-workloads/kiali-3-2: Go crypto/x509: Denial of Service via inefficient certificate chain validation (ossm-13869) * CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13911) * CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13915) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Join the discussion
Red Hat Security Advisory: Kiali 2.4.18 for Red Hat OpenShift Service Mesh 3.0CVE-2026-9277
0

Kiali 2.4.18, for Red Hat OpenShift Service Mesh 3.0, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently. Security Fix(es): * CVE-2026-32281 redhat-user-workloads/kiali-3-0: Go crypto/x509: Denial of Service via inefficient certificate chain validation (ossm-13867) * CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13909) * CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13913) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Join the discussion

Showing 1 to 5 of 5 results

Filters:Tag: cve-2026-32281
Page 1 of 1
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses