RHSA-2026:13826CriticalCVSS 9.8

Red Hat Security Advisory: Red Hat Developer Hub 1.9.4 release.

Published
May 5, 2026
Last Modified
June 2, 2026

🔗 CVE IDs covered (25)

CVE-2025-62718CVE-2026-1525 · pendingCVE-2026-4800CVE-2026-32282CVE-2026-33896CVE-2025-69534 · pendingCVE-2026-29186 · pendingCVE-2026-32280CVE-2026-33228 · pendingCVE-2026-33891CVE-2026-40895CVE-2026-1528 · pendingCVE-2026-3118CVE-2026-27601CVE-2026-27904 · pendingCVE-2026-33894CVE-2026-33895CVE-2026-39983CVE-2026-40175CVE-2026-1526 · pendingCVE-2026-2229 · pendingCVE-2026-4926CVE-2026-29063CVE-2026-29074 · pendingCVE-2026-32141 · pending

📋 Description

CVE-2025-62718 — axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization CVE-2025-69534 — python-markdown: denial of service via malformed HTML-like sequences CVE-2026-1525 — undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers CVE-2026-1526 — undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression CVE-2026-1528 — undici: undici: Denial of Service via crafted WebSocket frame with large length CVE-2026-2229 — undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter CVE-2026-3118 — rhdh: GraphQL Injection Leading to Platform-Wide Denial of Service (DoS) in RH Developer Hub Orchestrator Plugin CVE-2026-4800 — lodash: lodash: Arbitrary code execution via untrusted input in template imports CVE-2026-4926 — path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressions CVE-2026-27601 — Underscore.js: Underscore.js: Denial of Service via recursive data structures in flatten and isEqual functions CVE-2026-27904 — minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions CVE-2026-29063 — immutable-js: Immutable.js: Arbitrary code execution via Prototype Pollution CVE-2026-29074 — svgo: SVGO: Denial of Service via XML entity expansion CVE-2026-29186 — backstage/plugin-techdocs-node: TechDocs Mkdocs configuration key enables arbitrary code execution CVE-2026-32141 — flatted: flatted: Unbounded recursion DoS in parse() revive phase CVE-2026-32280 — crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building CVE-2026-32282 — golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root CVE-2026-33228 — flatted: Flatted: Prototype pollution vulnerability allows arbitrary code execution via crafted JSON. CVE-2026-33891 — node-forge: node-forge: Denial of Service via infinite loop in BigInteger.modInverse() CVE-2026-33894 — node-forge: Forge: Signature Forgery via Weak RSASSA PKCS#1 v1.5 Verification CVE-2026-33895 — node-forge: Forge: Authentication bypass via forged Ed25519 cryptographic signatures CVE-2026-33896 — node-forge: Forge (node-forge): Certificate validation bypass allows unauthorized certificate issuance CVE-2026-39983 — basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters CVE-2026-40175 — axios: Axios: Remote Code Execution via Prototype Pollution escalation CVE-2026-40895 — follow-redirects: follow-redirects: Information disclosure via cross-domain redirects

🔗 References (37)