Threats Tagged 'cve-2026-32590'

Red Hat Quay 3. 17. 3 addresses security vulnerabilities identified as CVE-2026-32590 and CVE-2026-32591. The update includes bug fixes and improvements such as logging source IP addresses behind OpenShift haproxy ingress controllers and allowing a single email address for multiple organizations. The advisory classifies the severity as high. No known exploits are reported in the wild. The vendor has released this version as a security update.

Quay 3.17.2

See the release notes (link in the references section) for a description of the fixes and enhancements in this particular release.

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.16.60. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2026:10096 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/release_notes/

Submariner is a Kubernetes operator that enables cross-cluster connectivity for services and pods, implementing KEP-1645 (Multi-Cluster Services API). After deploying the Submariner operator, it can enable direct networking between pods and services across different Kubernetes clusters. For more information about Submariner, see the Submariner open source community website at: https://submariner.io/.

Kiali 2.11.9, for Red Hat OpenShift Service Mesh 3.1, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently. Security Fix(es): * CVE-2025-62718 Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization (OSSM-13231, OSSM-13234) * CVE-2026-25679 Incorrect parsing of IPv6 host literals in net/url (OSSM-12921) * CVE-2026-29074 SVGO: Denial of Service via XML entity expansion (OSSM-12897, OSSM-12898) * CVE-2026-29063 Immutable.js: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (OSSM-12977, OSSM-12978) * CVE-2026-33186 gRPC-Go: Authorization bypass due to improper HTTP/2 path validation (OSSM-13012) * CVE-2026-4800 lodash: Arbitrary code execution via untrusted input in template imports (OSSM-13119, OSSM-13120) * CVE-2026-34986 Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object (OSSM-13147) * CVE-2026-40175 Axios: Remote Code Execution via Prototype Pollution escalation (OSSM-13256, OSSM-13257) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.