Export limit exceeded: 357871 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (1741 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-52615 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-04-15 | 5.3 Medium |
| A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. | ||||
| CVE-2025-2786 | 1 Redhat | 1 Openshift Distributed Tracing | 2026-04-15 | 4.3 Medium |
| A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview and SubjectAccessReview requests, potentially revealing information about other users' permissions. While this does not allow privilege escalation or impersonation, it exposes information that could aid in gathering information for further attacks. | ||||
| CVE-2025-1244 | 1 Redhat | 7 Enterprise Linux, Openshift Builds, Rhel Aus and 4 more | 2026-04-15 | 8.8 High |
| A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect. | ||||
| CVE-2025-6032 | 1 Redhat | 3 Enterprise Linux, Openshift, Rhel Eus | 2026-04-15 | 8.3 High |
| A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack. | ||||
| CVE-2024-10963 | 1 Redhat | 4 Enterprise Linux, Openshift, Openshift Ai and 1 more | 2026-04-15 | 7.4 High |
| A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals. | ||||
| CVE-2025-4432 | 1 Redhat | 5 Enterprise Linux, Openshift, Satellite and 2 more | 2026-04-15 | 5.3 Medium |
| A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets sent or received. | ||||
| CVE-2024-45812 | 2 Redhat, Vitejs | 2 Openshift Distributed Tracing, Vite | 2026-04-15 | 6.4 Medium |
| Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-45813 | 1 Redhat | 3 Acm, Multicluster Engine, Openshift Devspaces | 2026-04-15 | 5.3 Medium |
| find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a `-` at the end, like `/:a-:b-`. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue. | ||||
| CVE-2025-11561 | 1 Redhat | 9 Ceph Storage, Enterprise Linux, Openshift and 6 more | 2026-04-15 | 8.8 High |
| A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts. | ||||
| CVE-2024-1975 | 2 Isc, Redhat | 8 Bind, Enterprise Linux, Openshift and 5 more | 2026-04-15 | 7.5 High |
| If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. | ||||
| CVE-2024-45811 | 2 Redhat, Vitejs | 2 Openshift Distributed Tracing, Vite | 2026-04-15 | 4.8 Medium |
| Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-10725 | 1 Redhat | 1 Openshift Ai | 2026-04-15 | 9.9 Critical |
| A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster's confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it. | ||||
| CVE-2024-45783 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-04-15 | 4.4 Medium |
| A flaw was found in grub2. When failing to mount an HFS+ grub, the hfsplus filesystem driver doesn't properly set an ERRNO value. This issue may lead to a NULL pointer access. | ||||
| CVE-2024-11217 | 1 Redhat | 1 Openshift | 2026-04-15 | 4.9 Medium |
| A vulnerability was found in the OAuth-server. OAuth-server logs the OAuth2 client secret when the logLevel is Debug higher for OIDC/GitHub/GitLab/Google IDPs login options. | ||||
| CVE-2024-5321 | 1 Redhat | 1 Openshift | 2026-04-15 | 6.1 Medium |
| A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT AUTHORITY\Authenticated Users may be able to modify container logs. | ||||
| CVE-2024-52616 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-04-15 | 5.3 Medium |
| A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. | ||||
| CVE-2025-8941 | 1 Redhat | 13 Cert Manager, Confidential Compute Attestation, Discovery and 10 more | 2026-04-15 | 7.8 High |
| A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020. | ||||
| CVE-2024-45774 | 1 Redhat | 2 Enterprise Linux, Openshift | 2026-04-15 | 6.7 Medium |
| A flaw was found in grub2. A specially crafted JPEG file can cause the JPEG parser of grub2 to incorrectly check the bounds of its internal buffers, resulting in an out-of-bounds write. The possibility of overwriting sensitive information to bypass secure boot protections is not discarded. | ||||
| CVE-2024-45497 | 1 Redhat | 2 Jboss Fuse, Openshift | 2026-04-15 | 7.6 High |
| A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties. | ||||
| CVE-2023-6596 | 1 Redhat | 1 Openshift | 2026-04-15 | 7.5 High |
| An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers. | ||||