VYPR

Vendor CVEs

Red Hat

All CVEs

3,692 total · sorted by risk
  • CVE-2017-5046MedApr 24, 2017
    risk 0.28cvss 4.3epss 0.01

    V8 in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android had insufficient policy enforcement, which allowed a remote attacker to spoof the location object via a crafted HTML page, related to Blink information disclosure.

  • CVE-2017-5033MedApr 24, 2017
    risk 0.28cvss 4.3epss 0.01

    Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the…

  • CVE-2017-3464MedApr 24, 2017
    risk 0.28cvss 4.3epss 0.02

    Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access…

  • CVE-2016-6519MedApr 21, 2017
    risk 0.28cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in the "Shares" overview in Openstack Manila before 2.5.1 allows remote authenticated users to inject arbitrary web script or HTML via the Metadata field in the "Create Share" form.

  • CVE-2016-4428MedJul 12, 2016
    risk 0.28cvss 5.4epss 0.02

    Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.

  • CVE-2016-3725MedMay 17, 2016
    risk 0.28cvss 4.3epss 0.02

    Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permissions check. NOTE: this issue can be combined with DNS cache poisoning to cause a denial of service (service disruption).

  • CVE-2016-3723MedMay 17, 2016
    risk 0.28cvss 4.3epss 0.02

    Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

  • CVE-2016-3722MedMay 17, 2016
    risk 0.28cvss 4.3epss 0.02

    Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."

  • CVE-2016-3721MedMay 17, 2016
    risk 0.28cvss 4.3epss 0.02

    Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.

  • CVE-2016-1664MedMay 14, 2016
    risk 0.28cvss 4.3epss 0.01

    The HistoryController::UpdateForCommit function in content/renderer/history_controller.cc in Google Chrome before 50.0.2661.94 mishandles the interaction between subframe forward navigations and other forward navigations, which allows remote attackers to spoof the address bar…

  • CVE-2015-0284MedApr 14, 2016
    risk 0.28cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in spacewalk-java in Spacewalk and Red Hat Satellite 5.7 allows remote authenticated users to inject arbitrary web script or HTML via crafted XML data to the XMLRPC API, involving user details. NOTE: this vulnerability exists because of…

  • CVE-2015-7528MedApr 11, 2016
    risk 0.28cvss 5.3epss 0.02

    Kubernetes before 1.2.0-alpha.5 allows remote attackers to read arbitrary pod logs via a container name.

  • CVE-2015-8629MedFeb 13, 2016
    risk 0.28cvss 5.3epss 0.04

    The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a…

  • CVE-2011-3344MedFeb 5, 2014
    risk 0.28cvss 5.4epss 0.01

    A flaw was found in Spacewalk. A remote attacker can exploit a cross-site scripting (XSS) vulnerability in the Lookup Login/Password form by injecting arbitrary web script or HTML via the URI. This can lead to information disclosure or unauthorized actions within the user's…

  • CVE-2026-10052MedMay 29, 2026
    risk 0.27cvss 4.1epss 0.00

    A flaw was found in the Quay config-tool's LDAP and SMTP validation functions. An attacker with config editor access can exploit these functions, which make outbound connections to user-supplied endpoints without proper IP or host filtering. This allows the attacker to perform…

  • CVE-2026-9794MedMay 28, 2026
    risk 0.27cvss 5.3epss 0.00

    A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct…

  • CVE-2026-9689MedMay 27, 2026
    risk 0.27cvss 4.2epss 0.00

    A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web…

  • CVE-2026-4325MedApr 2, 2026
    risk 0.27cvss 5.3epss 0.00

    A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password…

  • CVE-2026-2100MedMar 26, 2026
    risk 0.27cvss 5.3epss 0.01

    A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an…

  • CVE-2026-2575MedMar 18, 2026
    risk 0.27cvss 5.3epss 0.01

    A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading…

  • CVE-2026-0598MedFeb 6, 2026
    risk 0.27cvss 4.2epss 0.00

    A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid…

  • CVE-2023-5342MedAug 14, 2025
    risk 0.27cvss 4.1epss 0.00

    The Fedora Secure Boot CA certificate shipped with shim in Fedora was expired which could lead to old or invalid signed boot components being loaded.

  • CVE-2017-2653MedJul 27, 2018
    risk 0.27cvss 4.1epss 0.01

    A number of unused delete routes are present in CloudForms before 5.7.2.1 which can be accessed via GET requests instead of just POST requests. This could allow an attacker to bypass the protect_from_forgery XSRF protection causing the routes to be used. This attack would…

  • CVE-2017-10268MedOct 19, 2017
    risk 0.27cvss 4.1epss 0.01

    Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon…

  • CVE-2015-5233MedApr 11, 2016
    risk 0.27cvss 4.2epss 0.01

    Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to…

  • CVE-2026-2625MedApr 3, 2026
    risk 0.26cvss 4.0epss 0.00

    A flaw was found in rust-rpm-sequoia. An attacker can exploit this vulnerability by providing a specially crafted Red Hat Package Manager (RPM) file. During the RPM signature verification process, this crafted file can trigger an error in the OpenPGP signature parsing code,…

  • CVE-2025-5372MedJul 4, 2025
    risk 0.26cvss 5.0epss 0.00

    A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the…

  • CVE-2024-11483MedNov 25, 2024
    risk 0.26cvss 5.0epss 0.01

    A vulnerability was found in the Ansible Automation Platform (AAP). This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansible_base.oauth2_provider for OAuth2…

  • CVE-2023-3597MedApr 25, 2024
    risk 0.26cvss 5.0epss 0.01

    A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and…

  • CVE-2017-10295MedOct 19, 2017
    risk 0.26cvss 4.0epss 0.02

    Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows…

  • CVE-2017-3318MedJan 27, 2017
    risk 0.26cvss 4.0epss 0.00

    Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Error Handling). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with…

  • CVE-2017-3317MedJan 27, 2017
    risk 0.26cvss 4.0epss 0.00

    Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Logging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the…

  • CVE-2026-37978MedMay 19, 2026
    risk 0.25cvss 4.9epss 0.00

    A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable…

  • CVE-2026-2376MedMar 12, 2026
    risk 0.25cvss 4.9epss 0.00

    A flaw was found in mirror-registry where an authenticated user can trick the system into accessing unintended internal or restricted systems by providing malicious web addresses. When the application processes these addresses, it automatically follows redirects without…

  • CVE-2016-8647MedJul 26, 2018
    risk 0.25cvss 4.9epss 0.01

    An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed.

  • CVE-2016-3716LowMay 5, 2016
    risk 0.25cvss 3.3epss 0.11

    The MSL coder in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allows remote attackers to move arbitrary files via a crafted image.

  • CVE-2026-2708LowApr 23, 2026
    risk 0.24cvss 3.7epss 0.00

    A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields.…

  • CVE-2026-3184LowApr 3, 2026
    risk 0.24cvss 3.7epss 0.00

    A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname,…

  • CVE-2017-3544LowApr 24, 2017
    risk 0.24cvss 3.7epss 0.02

    Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13. Difficult to exploit vulnerability allows…

  • CVE-2017-3533LowApr 24, 2017
    risk 0.24cvss 3.7epss 0.03

    Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13. Difficult to exploit vulnerability allows…

  • CVE-2016-1000033LowOct 25, 2016
    risk 0.24cvss 3.7epss 0.01

    Shotwell version 0.22.0 (and possibly other versions) is vulnerable to a TLS/SSL certification validation flaw resulting in a potential for man in the middle attacks.

  • CVE-2016-5444LowJul 21, 2016
    risk 0.24cvss 3.7epss 0.04

    Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows remote attackers to affect confidentiality via vectors related to Server: Connection.

  • CVE-2016-3452LowJul 21, 2016
    risk 0.24cvss 3.7epss 0.04

    Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows remote attackers to affect confidentiality via vectors related to Server: Security:…

  • CVE-2015-4170MedMay 2, 2016
    risk 0.24cvss 4.7epss 0.00

    Race condition in the ldsem_cmpxchg function in drivers/tty/tty_ldsem.c in the Linux kernel before 3.13-rc4-next-20131218 allows local users to cause a denial of service (ldsem_down_read and ldsem_down_write deadlock) by establishing a new tty thread during shutdown of a…

  • CVE-2014-3611MedNov 10, 2014
    risk 0.24cvss 4.7epss 0.00

    Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation.

  • CVE-2024-49502LowNov 28, 2024
    risk 0.23cvss 3.5epss 0.00

    A Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in the Setup Wizard, HTTP Proxy credentials pane in spacewalk-web allows attackers to attack users by providing specially crafted URLs to click. This issue affects…

  • CVE-2016-7061LowSep 10, 2018
    risk 0.23cvss 3.5epss 0.02

    An information disclosure vulnerability was found in JBoss Enterprise Application Platform before 7.0.4. It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information.

  • CVE-2017-12175LowJul 26, 2018
    risk 0.23cvss 3.5epss 0.01

    Red Hat Satellite before 6.5 is vulnerable to a XSS in discovery rule when you are entering filter and you use autocomplete functionality.

  • CVE-2017-7509LowJul 26, 2018
    risk 0.23cvss 3.5epss 0.01

    An input validation error was found in Red Hat Certificate System's handling of client provided certificates before 8.1.20-1. If the certreq field is not present in a certificate an assertion error is triggered causing a denial of service.

  • CVE-2017-7538LowJul 26, 2018
    risk 0.23cvss 3.5epss 0.01

    A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5, before 5.8. A user able to change an organization's name could exploit this flaw to perform XSS attacks against other Satellite users.

Page 25 of 74