Red Hat Security Advisory: Red Hat Quay 3.16.4

CVE-2025-61726 — golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-62718 — axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization CVE-2026-2377 — mirror-registry: quay: quay: Server-Side Request Forgery via log export functionality CVE-2026-4427 — github.com/jackc/pgproto3: pgproto3: Denial of Service via negative field length in DataRow message CVE-2026-4598 — jsrsasign: jsrsasign: Denial of Service via infinite loop in bnModInverse function with crafted inputs CVE-2026-4599 — jsrsasign: jsrsasign: Private key recovery via incomplete comparison checks biasing DSA nonces CVE-2026-4600 — jsrsasign: jsrsasign: Cryptographic signature forgery via malicious DSA domain parameters CVE-2026-4601 — jsrsasign: jsrsasign: Private Key Recovery via Missing Cryptographic Step in DSA Signing CVE-2026-4602 — jsrsasign: jsrsasign: Signature verification bypass via negative exponent handling CVE-2026-25679 — net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-27137 — crypto/x509: Incorrect enforcement of email constraints in crypto/x509 CVE-2026-27459 — pyOpenSSL: DTLS cookie callback buffer overflow CVE-2026-27962 — authlib: Authlib: Authentication bypass due to JWK Header Injection vulnerability CVE-2026-28802 — authlib: Authlib: Signature verification bypass via malicious JWT allows unauthorized access CVE-2026-29063 — immutable-js: Immutable.js: Arbitrary code execution via Prototype Pollution CVE-2026-29074 — svgo: SVGO: Denial of Service via XML entity expansion CVE-2026-30922 — pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion CVE-2026-32280 — crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building CVE-2026-32282 — golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root CVE-2026-32286 — github.com/jackc/pgproto3/v2: github.com/jackc/pgproto3/v2: Denial of Service via malicious PostgreSQL server CVE-2026-32589 — mirror-registry: quay: insecure direct object reference in BlobUpload CVE-2026-32590 — mirror-registry: remote code execution using pickle deserialization CVE-2026-32597 — pyjwt: PyJWT accepts unknown crit header extensions (RFC 7515 §4.1.11 MUST violation) CVE-2026-33186 — google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation CVE-2026-33894 — node-forge: Forge: Signature Forgery via Weak RSASSA PKCS#1 v1.5 Verification CVE-2026-34986 — github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object CVE-2026-39892 — cryptography: Cryptography: Buffer overflow via non-contiguous buffer in API CVE-2026-40192 — Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing CVE-2026-40895 — follow-redirects: follow-redirects: Information disclosure via cross-domain redirects CVE-2026-42033 — axios: Axios: HTTP Transport Hijacking via Prototype Pollution CVE-2026-42035 — axios: Axios: Arbitrary HTTP header injection via prototype pollution CVE-2026-42039 — axios: Node.js: Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data CVE-2026-42041 — axios: Axios: Authentication bypass due to prototype pollution of HTTP error handling CVE-2026-42043 — axios: Axios: NO_PROXY bypass via crafted URL CVE-2026-42044 — axios: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget