RHSA-2026:6568HighCVSS 9.1

Red Hat Security Advisory: Red Hat Quay 3.15.4

Published
April 3, 2026
Last Modified
June 3, 2026

🔗 CVE IDs covered (26)

CVE-2025-61726CVE-2025-69873CVE-2026-4598 · pendingCVE-2026-4599 · pendingCVE-2026-4601CVE-2026-25639CVE-2026-26007CVE-2026-28802 · pendingCVE-2024-34156CVE-2024-45337CVE-2026-4600CVE-2026-4602 · pendingCVE-2026-25990CVE-2026-28498 · pendingCVE-2026-29063CVE-2026-29074 · pendingCVE-2025-61729CVE-2025-68121CVE-2026-26996 · pendingCVE-2026-30922CVE-2026-32597CVE-2024-45338CVE-2025-61728CVE-2025-68158CVE-2026-27628 · pendingCVE-2026-27904 · pending

📋 Description

CVE-2024-34156 — encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion CVE-2024-45337 — golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto CVE-2024-45338 — golang.org/x/net/html: Non-linear parsing of case-insensitive content in golang.org/x/net/html CVE-2025-61726 — golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-61728 — golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip CVE-2025-61729 — crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate CVE-2025-68121 — crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption CVE-2025-68158 — Authlib: Authlib: Cross-Site Request Forgery due to improper session management in state storage CVE-2025-69873 — ajv: ReDoS via $data reference CVE-2026-4598 — jsrsasign: jsrsasign: Denial of Service via infinite loop in bnModInverse function with crafted inputs CVE-2026-4599 — jsrsasign: jsrsasign: Private key recovery via incomplete comparison checks biasing DSA nonces CVE-2026-4600 — jsrsasign: jsrsasign: Cryptographic signature forgery via malicious DSA domain parameters CVE-2026-4601 — jsrsasign: jsrsasign: Private Key Recovery via Missing Cryptographic Step in DSA Signing CVE-2026-4602 — jsrsasign: jsrsasign: Signature verification bypass via negative exponent handling CVE-2026-25639 — axios: Axios affected by Denial of Service via proto Key in mergeConfig CVE-2026-25990 — pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image CVE-2026-26007 — cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves CVE-2026-26996 — minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-27628 — pypdf: possible infinite loop when loading circular /Prev entries in cross-reference streams CVE-2026-27904 — minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions CVE-2026-28498 — authlib: Authlib: Authentication bypass via forged OpenID Connect ID Tokens CVE-2026-28802 — authlib: Authlib: Signature verification bypass via malicious JWT allows unauthorized access CVE-2026-29063 — immutable-js: Immutable.js: Arbitrary code execution via Prototype Pollution CVE-2026-29074 — svgo: SVGO: Denial of Service via XML entity expansion CVE-2026-30922 — pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion CVE-2026-32597 — pyjwt: PyJWT accepts unknown crit header extensions (RFC 7515 §4.1.11 MUST violation)

🔗 References (29)