RHSA-2026:10175HighCVSS 9.8

Red Hat Security Advisory: Red Hat OpenShift Dev Spaces 3.27.1 Release.

Published
April 23, 2026
Last Modified
June 3, 2026

🔗 CVE IDs covered (25)

CVE-2025-61728CVE-2026-26999 · pendingCVE-2026-33186CVE-2026-33433CVE-2026-33805CVE-2026-33941 · pendingCVE-2026-40175CVE-2026-4800CVE-2026-4926CVE-2026-27137CVE-2026-33870 · pendingCVE-2026-33937 · pendingCVE-2026-33939 · pendingCVE-2026-34986CVE-2025-62718CVE-2026-22731CVE-2026-25679CVE-2026-27606 · pendingCVE-2026-32305 · pendingCVE-2026-33871 · pendingCVE-2026-33938 · pendingCVE-2026-33940 · pendingCVE-2026-2332CVE-2026-29054 · pendingCVE-2026-32695

📋 Description

CVE-2025-61728 — golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip CVE-2025-62718 — axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization CVE-2026-2332 — org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing CVE-2026-4800 — lodash: lodash: Arbitrary code execution via untrusted input in template imports CVE-2026-4926 — path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressions CVE-2026-22731 — Spring Boot: Spring Boot: Authentication bypass via misconfigured Health Group additional path CVE-2026-25679 — net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-26999 — github.com/traefik/traefik: Traefik: Denial of Service due to incomplete TLS handshake CVE-2026-27137 — crypto/x509: Incorrect enforcement of email constraints in crypto/x509 CVE-2026-27606 — rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability CVE-2026-29054 — github.com/traefik/traefik: Traefik: Information disclosure due to case-insensitive Connection header processing CVE-2026-32305 — Traefik: github.com/traefik/traefik: Traefik: mTLS bypass allows unauthorized service access via fragmented ClientHello. CVE-2026-32695 — github.com/traefik/traefik: Traefik: Cross-tenant traffic exposure and host restriction bypass via rule-syntax injection in Knative provider CVE-2026-33186 — google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation CVE-2026-33433 — github.com/traefik/traefik: Traefik: Authentication bypass via non-canonical HTTP header injection CVE-2026-33805 — @fastify/reply-from: @fastify/http-proxy: Fastify Reply From and HTTP Proxy: Security bypass via Connection header manipulation CVE-2026-33870 — io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values CVE-2026-33871 — netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood CVE-2026-33937 — handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() CVE-2026-33938 — handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite CVE-2026-33939 — handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation CVE-2026-33940 — handlebars.js: Handlebars.js: Arbitrary code execution via crafted template context CVE-2026-33941 — handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw CVE-2026-34986 — github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object CVE-2026-40175 — axios: Axios: Remote Code Execution via Prototype Pollution escalation

🔗 References (29)