Threats Tagged 'cve-2026-40175'

Red Hat Developer Hub (RHDH) version 1. 9. 4 addresses multiple critical security vulnerabilities affecting its enterprise-grade developer portal platform. RHDH is a self-managed, customizable portal based on Backstage. io, supporting major Kubernetes clusters. The advisory references 25 CVEs including CVE-2025-62718 and others, indicating a broad set of security issues. The vendor has released RHDH 1. 9. 4 to fix these vulnerabilities. No known exploits are reported in the wild at this time.

Multiple security vulnerabilities have been identified in Red Hat's Network Observability 1. 11. 2 for OpenShift, a network flows collector and monitoring solution. The advisory references 13 CVEs including CVE-2025-62718 and others, with a high severity rating. No known exploits are reported in the wild. The vendor advisory does not explicitly state that a fix is available and does not list any patches. The advisory provides guidance on applying updates but does not confirm remediation status. The product is not a cloud service, so remediation depends on user action. The vulnerabilities involve a range of CWEs indicating issues such as improper input validation and potential code execution risks. No specific affected countries are identified.

Red Hat Advanced Cluster Security for Kubernetes (RHACS) version 4. 9. 7 includes multiple security and bug fixes addressing a set of vulnerabilities identified by CVE-2025-62718 and nine additional CVEs. The advisory highlights an important security update that resolves inconsistencies in CVE severity and fixes several security issues across components. Users of earlier RHACS versions are advised to upgrade to 4. 9. 7 to benefit from these patches. No known exploits in the wild have been reported for these vulnerabilities at this time.

Red Hat has announced the general availability of the satellite/iop-host-inventory-frontend-rhel9 container image for Red Hat Satellite 6. 18. This relates to Red Hat Lightspeed, a component that analyzes system health and configuration locally by applying predefined rules to limited system data. The advisory references three CVEs (CVE-2026-21441, CVE-2026-25639, CVE-2026-40175) but does not provide specific technical details or exploitation information. No patches or fixes are explicitly mentioned in the advisory. The container image enables local generation of recommendations without sending data externally. The severity is marked critical, but no CVSS score is provided.

Red Hat has announced the general availability of the satellite/iop-advisor-frontend-rhel9 container image for Red Hat Satellite 6. 18. This component is part of Red Hat Lightspeed in Satellite, which analyzes system health and configuration locally by applying predefined rules to limited local data such as installed packages and running services. The advisory references two CVEs (CVE-2026-25639 and CVE-2026-40175) with critical severity but does not provide specific technical details or a CVSS score. No patches or fixes are explicitly mentioned in the advisory, and no known exploits are reported in the wild. The vendor documentation suggests installing and configuring Red Hat Lightspeed locally to generate recommendations without sending data externally.

Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. This release of Red Hat Streams for Apache Kafka 3.2.0 serves as a replacement for Red Hat Streams for Apache Kafka 3.1.0, and includes security and bug fixes, and enhancements. Security Fix(es): * Drain Cleaner, Kafks Exporter - Eclipse Vert.x Web static handler file access denial [amq-st-3.2]"(CVE-2026-1002)" * Drain Cleaner, Kroxylicous - Netty denial of service[amqst-3.2]"(CVE-2026-33871)" * Drain Cleaner, Kroxylicous - Netty request smuggling attacks[amqst-3.2]"(CVE-2026-33870)" * Cruise Control - jose4j denial of service [amqst-3.2]"(CVE-2024-29371)" * Kafka Exporter - golang-github-danielqsj-kafka_exporter: Memory exhaustion in query parameter parsing in net/url [amq-st-3.2]"(CVE-2025-61726)" * Kafka Exporter - golang-github-danielqsj-kafka_exporter: golang: Denial of Service due to excessive resource consumption via crafted certificate [amq-st-3.2]"(CVE-2025-61729)" * Kafka Exporter - golang-github-danielqsj-kafka_exporter: Unexpected session resumption in crypto/tls [amqst-3.2]"(CVE-2025-68121)" * console UI - Next.js Server-Side Request Forgery in Server Actions [amqst-3.2]"(CVE-2024-34351)" * console UI - com.github.streamshub-console: Next.js: Unbounded next/image disk cache growth can exhaust storage[amqst-3.2]"(CVE-2026-27980)" * console UI - Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [amqst-3.2]"(CVE-2025-62718)" * console UI - React Server Components: Denial of Service via specially crafted HTTP requests [amqst-3.2]"(CVE-2026-23864)" * console UI - Axios: Remote Code Execution via Prototype Pollution escalation [amqst-3.2]"(CVE-2026-40175)" * console UI - lodash: Arbitrary code execution via untrusted input in template imports [amqst-3.2]"(CVE-2026-4800)"

Red Hat Discovery is a tool used to inspect and report environment data such as system counts, operating systems, and configuration details within a network. The advisory references multiple CVEs including CVE-2025-62718 affecting Red Hat Discovery and related products. The vendor advisory does not indicate any available fixes or patches for these vulnerabilities as of the publication date. No known exploits are reported in the wild. The severity is assessed as high based on the advisory metadata, but detailed impact specifics are not provided. The advisory suggests installing containers via discovery-installer RPM but does not explicitly state this as a remediation for the vulnerabilities. No geographic targeting is indicated. Patch status is not confirmed; users should consult the official Red Hat advisory for updates.

The RHTAS Operator can be used with OpenShift Container Platform 4.16, 4.17, 4.18, 4.19 and 4.20

Red Hat OpenShift Dev Spaces 3. 27. 1 is a cloud developer workspace server and browser-based IDE designed for container-based development on OpenShift. The 3. 27 release introduces support for devfile v2. 1 and v2. 2 standards, urging users to migrate from the deprecated v1 standard. This advisory references multiple CVEs, including CVE-2025-61728, indicating a collection of vulnerabilities affecting this product version. No specific fixes or patches are detailed in the advisory, and users are encouraged to update to supported OpenShift releases (v4. 16 and higher) to continue receiving updates.

Red Hat has released security fixes and updated container images for VolSync v0. 14, a Kubernetes operator that enables asynchronous replication of persistent volumes within or across clusters. The update addresses multiple vulnerabilities identified by CVE identifiers CVE-2025-61726, CVE-2025-61728, CVE-2025-61729, CVE-2026-32282, and CVE-2026-33186. These vulnerabilities have been rated with an overall security impact of Important by Red Hat Product Security. The advisory corresponds to Red Hat Advanced Cluster Management for Kubernetes 2. 15 and related components. No known exploits in the wild have been reported. Users are advised to apply the updated VolSync v0. 14. 2 images to remediate these issues.