What is RHSA-2026:9742?

RHSA-2026:9742 is a security advisory published by Red Hat Product Security with Critical severity. Red Hat Security Advisory: Red Hat Developer Hub 1.8.6 release.

Which CVE IDs does RHSA-2026:9742 cover?

RHSA-2026:9742 covers the following CVE IDs: CVE-2025-62718, CVE-2026-1525, CVE-2026-1528, CVE-2026-2229, CVE-2026-29063, CVE-2026-29186, CVE-2026-33036, CVE-2026-33895, CVE-2025-69873, CVE-2026-4926, CVE-2026-33891, CVE-2026-40175, CVE-2025-69534, CVE-2026-3118, CVE-2026-27601, CVE-2026-27904, CVE-2026-32141, CVE-2026-33894, CVE-2026-39983, CVE-2026-1526, CVE-2026-4800, CVE-2026-25679, CVE-2026-26996, CVE-2026-29074, CVE-2026-33228, CVE-2026-33896. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of RHSA-2026:9742?

RHSA-2026:9742 has a CVSS v3 base score of 9.8, published by Red Hat Product Security.

RHSA-2026:9742CriticalCVSS 9.8

Red Hat Security Advisory: Red Hat Developer Hub 1.8.6 release.

Vendor

Red Hat Product Security

Published

April 22, 2026

Last Modified

June 3, 2026

🔗 CVE IDs covered (26)

CVE-2025-62718 →CVE-2026-1525 · pendingCVE-2026-1528 · pendingCVE-2026-2229 · pendingCVE-2026-29063 →CVE-2026-29186 · pendingCVE-2026-33036 · pendingCVE-2026-33895 →CVE-2025-69873 →CVE-2026-4926 →CVE-2026-33891 →CVE-2026-40175 →CVE-2025-69534 · pendingCVE-2026-3118 →CVE-2026-27601 →CVE-2026-27904 · pendingCVE-2026-32141 · pendingCVE-2026-33894 →CVE-2026-39983 →CVE-2026-1526 · pendingCVE-2026-4800 →CVE-2026-25679 →CVE-2026-26996 · pendingCVE-2026-29074 · pendingCVE-2026-33228 · pendingCVE-2026-33896 →

📋 Description

CVE-2025-62718 — axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization CVE-2025-69534 — python-markdown: denial of service via malformed HTML-like sequences CVE-2025-69873 — ajv: ReDoS via $data reference CVE-2026-1525 — undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers CVE-2026-1526 — undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression CVE-2026-1528 — undici: undici: Denial of Service via crafted WebSocket frame with large length CVE-2026-2229 — undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter CVE-2026-3118 — rhdh: GraphQL Injection Leading to Platform-Wide Denial of Service (DoS) in RH Developer Hub Orchestrator Plugin CVE-2026-4800 — lodash: lodash: Arbitrary code execution via untrusted input in template imports CVE-2026-4926 — path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressions CVE-2026-25679 — net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-26996 — minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-27601 — Underscore.js: Underscore.js: Denial of Service via recursive data structures in flatten and isEqual functions CVE-2026-27904 — minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions CVE-2026-29063 — immutable-js: Immutable.js: Arbitrary code execution via Prototype Pollution CVE-2026-29074 — svgo: SVGO: Denial of Service via XML entity expansion CVE-2026-29186 — backstage/plugin-techdocs-node: TechDocs Mkdocs configuration key enables arbitrary code execution CVE-2026-32141 — flatted: flatted: Unbounded recursion DoS in parse() revive phase CVE-2026-33036 — fast-xml-parser: fast-xml-parser: Denial of Service via XML entity expansion bypass CVE-2026-33228 — flatted: Flatted: Prototype pollution vulnerability allows arbitrary code execution via crafted JSON. CVE-2026-33891 — node-forge: node-forge: Denial of Service via infinite loop in BigInteger.modInverse() CVE-2026-33894 — node-forge: Forge: Signature Forgery via Weak RSASSA PKCS#1 v1.5 Verification CVE-2026-33895 — node-forge: Forge: Authentication bypass via forged Ed25519 cryptographic signatures CVE-2026-33896 — node-forge: Forge (node-forge): Certificate validation bypass allows unauthorized certificate issuance CVE-2026-39983 — basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters CVE-2026-40175 — axios: Axios: Remote Code Execution via Prototype Pollution escalation

🔗 References (57)

selfhttps://access.redhat.com/errata/RHSA-2026:9742
externalhttps://access.redhat.com/security/cve/CVE-2025-62718
externalhttps://access.redhat.com/security/cve/CVE-2025-69534
externalhttps://access.redhat.com/security/cve/CVE-2025-69873
externalhttps://access.redhat.com/security/cve/CVE-2026-1525
externalhttps://access.redhat.com/security/cve/CVE-2026-1526
externalhttps://access.redhat.com/security/cve/CVE-2026-1528
externalhttps://access.redhat.com/security/cve/CVE-2026-2229
externalhttps://access.redhat.com/security/cve/CVE-2026-25679
externalhttps://access.redhat.com/security/cve/CVE-2026-26996
externalhttps://access.redhat.com/security/cve/CVE-2026-27601
externalhttps://access.redhat.com/security/cve/CVE-2026-27904
externalhttps://access.redhat.com/security/cve/CVE-2026-29063
externalhttps://access.redhat.com/security/cve/CVE-2026-29074
externalhttps://access.redhat.com/security/cve/CVE-2026-29186
externalhttps://access.redhat.com/security/cve/CVE-2026-3118
externalhttps://access.redhat.com/security/cve/CVE-2026-32141
externalhttps://access.redhat.com/security/cve/CVE-2026-33036
externalhttps://access.redhat.com/security/cve/CVE-2026-33228
externalhttps://access.redhat.com/security/cve/CVE-2026-33891
externalhttps://access.redhat.com/security/cve/CVE-2026-33894
externalhttps://access.redhat.com/security/cve/CVE-2026-33895
externalhttps://access.redhat.com/security/cve/CVE-2026-33896
externalhttps://access.redhat.com/security/cve/CVE-2026-39983
externalhttps://access.redhat.com/security/cve/CVE-2026-40175
externalhttps://access.redhat.com/security/cve/CVE-2026-4800
externalhttps://access.redhat.com/security/cve/CVE-2026-4926
externalhttps://access.redhat.com/security/updates/classification/
externalhttps://catalog.redhat.com/search?gs&searchType=containers&q=rhdh
externalhttps://developers.redhat.com/rhdh/overview
externalhttps://docs.redhat.com/en/documentation/red_hat_developer_hub
externalhttps://issues.redhat.com/browse/RHDHBUGS-2288
externalhttps://issues.redhat.com/browse/RHDHBUGS-2947
externalhttps://issues.redhat.com/browse/RHDHBUGS-2972
externalhttps://issues.redhat.com/browse/RHIDP-12327
externalhttps://issues.redhat.com/browse/RHIDP-12388
externalhttps://issues.redhat.com/browse/RHIDP-12419
externalhttps://issues.redhat.com/browse/RHIDP-12511
externalhttps://issues.redhat.com/browse/RHIDP-12568
externalhttps://issues.redhat.com/browse/RHIDP-12647
externalhttps://issues.redhat.com/browse/RHIDP-12650
externalhttps://issues.redhat.com/browse/RHIDP-12655
externalhttps://issues.redhat.com/browse/RHIDP-12666
externalhttps://issues.redhat.com/browse/RHIDP-12686
externalhttps://issues.redhat.com/browse/RHIDP-12784
externalhttps://issues.redhat.com/browse/RHIDP-12880
externalhttps://issues.redhat.com/browse/RHIDP-12887
externalhttps://issues.redhat.com/browse/RHIDP-12921
externalhttps://issues.redhat.com/browse/RHIDP-12930
externalhttps://issues.redhat.com/browse/RHIDP-12996
externalhttps://issues.redhat.com/browse/RHIDP-13105
externalhttps://issues.redhat.com/browse/RHIDP-13107
externalhttps://issues.redhat.com/browse/RHIDP-13130
externalhttps://issues.redhat.com/browse/RHIDP-13180
externalhttps://issues.redhat.com/browse/RHIDP-13182
externalhttps://issues.redhat.com/browse/RHIDP-13185
selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_9742.json