Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.6 Container Release Update

CVE-2025-4565 — python-protobuf: Unbounded recursion in Python Protobuf CVE-2025-13465 — lodash: prototype pollution in _.unset and _.omit functions CVE-2025-53643 — aiohttp: AIOHTTP HTTP Request/Response Smuggling CVE-2025-59057 — react-router: @remix-run/router: React Router XSS Vulnerability CVE-2025-61140 — jsonpath: jsonpath: Prototype Pollution vulnerability in the value function CVE-2025-61726 — golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-66471 — urllib3: urllib3 Streaming API improperly handles highly compressed data CVE-2025-69223 — aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb CVE-2026-1207 — Django: Django: SQL Injection via RasterField band index parameter CVE-2026-1287 — Django: Django: SQL Injection via crafted column aliases CVE-2026-1312 — Django: Django: SQL injection via crafted column aliases in QuerySet.order_by() CVE-2026-21441 — urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) CVE-2026-21884 — react-router: @remix-run/react: React Router SSR XSS in ScrollRestoration CVE-2026-22029 — @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects CVE-2026-24049 — wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking CVE-2026-24486 — python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability CVE-2026-25536 — @modelcontextprotocol/sdk: @modelcontextprotocol/sdk cross-client data leak