Threats Tagged 'cve-2026-9277'
View all threats tagged with 'cve-2026-9277'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'cve-2026-9277'
Click on any threat for detailed analysis and mitigation recommendations
CVE-2026-9277: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in shell-quoteCVE-2026-9277 0 shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: '...\n...' }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`. Join the discussion | GCVE Database | 05/22/2026, 13:22:38 UTC Added: 06/15/2026, 23:17:42 UTC |
Red Hat Security Advisory: Kiali 2.11.12 for Red Hat OpenShift Service Mesh 3.1CVE-2026-9277 0 Kiali 2.11.12, for Red Hat OpenShift Service Mesh 3.1, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently. Security Fix(es): * CVE-2026-32281 redhat-user-workloads/kiali-3-1: Go crypto/x509: Denial of Service via inefficient certificate chain validation (ossm-13868) * CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13909) * CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13913) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Join the discussion | GCVE Database | 06/15/2026, 22:11:01 UTC Added: 06/15/2026, 23:17:42 UTC |
Red Hat Security Advisory: Kiali 2.17.9 for Red Hat OpenShift Service Mesh 3.2CVE-2026-9277 0 Kiali 2.17.9, for Red Hat OpenShift Service Mesh 3.2, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently. Security Fix(es): * CVE-2026-32281 redhat-user-workloads/kiali-3-2: Go crypto/x509: Denial of Service via inefficient certificate chain validation (ossm-13869) * CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13911) * CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13915) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Join the discussion | GCVE Database | 06/15/2026, 22:32:11 UTC Added: 06/15/2026, 23:17:42 UTC |
Red Hat Security Advisory: Kiali 2.4.18 for Red Hat OpenShift Service Mesh 3.0CVE-2026-9277 0 Kiali 2.4.18, for Red Hat OpenShift Service Mesh 3.0, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently. Security Fix(es): * CVE-2026-32281 redhat-user-workloads/kiali-3-0: Go crypto/x509: Denial of Service via inefficient certificate chain validation (ossm-13867) * CVE-2026-9277 openshift-service-mesh/kiali-ossmc-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13909) * CVE-2026-9277 openshift-service-mesh/kiali-rhel9: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators (ossm-13913) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Join the discussion | GCVE Database | 05/22/2026, 13:22:38 UTC Added: 06/15/2026, 23:17:42 UTC |
Red Hat Security Advisory: OpenShift Container Platform 4.20.27 bug fix and security updateCVE-2026-6322 0 Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.20.27. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHBA-2026:29798 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/release_notes/ Join the discussion | GCVE Database | 06/23/2026, 21:51:13 UTC Added: 06/11/2026, 17:33:03 UTC |
Showing 1 to 5 of 5 results