Threats Tagged 'cve-2026-4519'

Red Hat OpenShift Container Platform 4.13.67 is a bug fix and security update release addressing multiple vulnerabilities including information disclosure, denial of service, privilege escalation, and arbitrary code execution. The update fixes issues in components such as OpenSSH, nghttp2, libarchive, sudo, and the Linux kernel. No new security fixes are introduced beyond those already documented in the referenced CVEs. Users of OpenShift Container Platform 4.13 are advised to upgrade to this release when available via official channels.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * cpython: wsgiref.headers.Headers allows header newline injection in Python (CVE-2026-0865) * cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297) * cpython: Incomplete control character validation in http.cookies (CVE-2026-3644) * cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224) * python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519) * python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502) * python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100) * python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786) * python: Python: Information disclosure and arbitrary code execution via remote debugging with a malicious process. (CVE-2026-5713) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): * cpython: wsgiref.headers.Headers allows header newline injection in Python (CVE-2026-0865) * cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297) * cpython: Incomplete control character validation in http.cookies (CVE-2026-3644) * cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224) * python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519) * python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502) * python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100) * python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786) * python: Python: Information disclosure and arbitrary code execution via remote debugging with a malicious process. (CVE-2026-5713) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat® AI Inference Server

OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fix(es): * openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables (CVE-2026-3497) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat Update Infrastructure (RHUI) 5.1 container images have a critical security advisory addressing multiple vulnerabilities. The update involves the latest RHUI RPM packages and base images (ubi9 or ubi9-init). The advisory references a large set of CVEs but does not provide specific technical details or fixes for individual issues. The vendor recommends deploying updated container images using the rhui-installer utility. No explicit patch or fix details are provided in the advisory.

Red Hat® Enterprise Linux® AI is a foundation model platform to seamlessly develop, test, and run Granite family large language models (LLMs) for enterprise applications.

Red Hat® Enterprise Linux® AI is a foundation model platform to seamlessly develop, test, and run Granite family large language models (LLMs) for enterprise applications.

The RHEL-8 based Middleware Containers container images have been updated to address the following security advisory: RHSA-2026:11077 RHSA-2026:7667 RHSA-2026:8534 RHSA-2026:9745 (see References) Security Fixes: * rsync: Rsync: Out of bounds array access via negative index (CVE-2025-10158) * gnutls: Stack-based Buffer Overflow in gnutls_pkcs11_token_init() Function (CVE-2025-9820) * gnutls: GnuTLS: Denial of Service via excessive resource consumption during certificate verification (CVE-2025-14831) * openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables (CVE-2026-3497) * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135) * libarchive: libarchive: Information disclosure via heap out-of-bounds read in RAR archive processing (CVE-2026-4424) * python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519) * libarchive: libarchive: Arbitrary code execution via integer overflow in ISO9660 image processing (CVE-2026-5121) * python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100) * python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786) Users of RHEL-8 based Middleware Containers container images are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images. You can find images updated by this advisory in Red Hat Container Catalog (see References).

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().