Red Hat Security Advisory: Red Hat Quay 3.16.3

CVE-2025-13465 — lodash: prototype pollution in _.unset and _.omit functions CVE-2025-61726 — golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-61728 — golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip CVE-2025-68121 — crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption CVE-2025-68158 — Authlib: Authlib: Cross-Site Request Forgery due to improper session management in state storage CVE-2025-69873 — ajv: ReDoS via $data reference CVE-2026-25639 — axios: Axios affected by Denial of Service via proto Key in mergeConfig CVE-2026-25990 — pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image CVE-2026-26007 — cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves CVE-2026-26996 — minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-27628 — pypdf: possible infinite loop when loading circular /Prev entries in cross-reference streams CVE-2026-27904 — minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions CVE-2026-28498 — authlib: Authlib: Authentication bypass via forged OpenID Connect ID Tokens