Manageiq
Products
4- 5 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
Recent CVEs
9| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-52903 | imp | 0.57 | 8.8 | — | Jun 9, 2026 | manageiq: YAML safe_load production fallback to unsafe_load enables RCE via deserialization | ||
| CVE-2021-32756 | Hig | 0.57 | 8.8 | 0.02 | Jul 21, 2021 | ManageIQ is an open-source management platform. In versions prior to jansa-4, kasparov-2, and lasker-1, there is a flaw in the MiqExpression module of ManageIQ where a low privilege user could enter a crafted Ruby string which would be evaluated. Successful exploitation will… | ||
| CVE-2014-0197 | Hig | 0.57 | 8.8 | 0.01 | Dec 13, 2019 | CFME: CSRF protection vulnerability via permissive check of the referrer header | ||
| CVE-2013-0185 | Hig | 0.57 | 8.8 | 0.01 | May 1, 2018 | Cross-site request forgery (CSRF) vulnerability in ManageIQ Enterprise Virtualization Manager (EVM) allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors. | ||
| CVE-2014-0087 | Hig | 0.57 | 8.8 | 0.02 | Jan 11, 2018 | The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Management Engine (CFME), allows remote authenticated users to bypass authorization and gain privileges by leveraging improper RBAC checking, related to the… | ||
| CVE-2016-4471 | Hig | 0.57 | 8.8 | 0.02 | Jun 8, 2017 | ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code. | ||
| CVE-2018-10905 | Hig | 0.51 | 7.8 | 0.00 | Jul 24, 2018 | CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user. | ||
| CVE-2026-22598 | Hig | 0.46 | — | 0.00 | Jan 21, 2026 | ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One… | ||
| CVE-2024-43191 | 0.00 | — | 0.01 | Sep 26, 2024 | IBM ManageIQ could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted yaml file request. |
- risk 0.57cvss 8.8epss —
manageiq: YAML safe_load production fallback to unsafe_load enables RCE via deserialization
- risk 0.57cvss 8.8epss 0.02
ManageIQ is an open-source management platform. In versions prior to jansa-4, kasparov-2, and lasker-1, there is a flaw in the MiqExpression module of ManageIQ where a low privilege user could enter a crafted Ruby string which would be evaluated. Successful exploitation will…
- risk 0.57cvss 8.8epss 0.01
CFME: CSRF protection vulnerability via permissive check of the referrer header
- risk 0.57cvss 8.8epss 0.01
Cross-site request forgery (CSRF) vulnerability in ManageIQ Enterprise Virtualization Manager (EVM) allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors.
- risk 0.57cvss 8.8epss 0.02
The check_privileges method in vmdb/app/controllers/application_controller.rb in ManageIQ, as used in Red Hat CloudForms Management Engine (CFME), allows remote authenticated users to bypass authorization and gain privileges by leveraging improper RBAC checking, related to the…
- risk 0.57cvss 8.8epss 0.02
ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code.
- risk 0.51cvss 7.8epss 0.00
CloudForms Management Engine (cfme) is vulnerable to an improper security setting in the dRuby component of CloudForms. An attacker with access to an unprivileged local shell could use this flaw to execute commands as a high privileged user.
- risk 0.46cvss —epss 0.00
ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One…
- CVE-2024-43191Sep 26, 2024risk 0.00cvss —epss 0.01
IBM ManageIQ could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted yaml file request.