CVSS: 8.2EPSS: 0%CPEs: 5EXPL: 1CVE-2026-5119 – Libsoup: libsoup: information disclosure via cleartext transmission of cookies during https tunnel establishment
https://notcve.org/view.php?id=CVE-2026-5119
30 Mar 2026 — A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation. Se encontró una vulnerabilidad en libsoup. Al establecer túneles HTTPS a través de un proxy HTTP configurado, las cookies de sesión sensibles se transmiten en texto claro dent... • https://access.redhat.com/security/cve/CVE-2026-5119 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 9.1EPSS: 0%CPEs: 11EXPL: 0CVE-2026-28369 – Undertow: undertow: request smuggling via malformed http request headers
https://notcve.org/view.php?id=CVE-2026-28369
27 Mar 2026 — A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker to bypass security mechanisms, access restricted information, or manipulate web caches, potentially leading to unauthorized actions or data exposure. • https://access.redhat.com/security/cve/CVE-2026-28369 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.1EPSS: 0%CPEs: 11EXPL: 0CVE-2026-28368 – Undertow: undertow: request smuggling via inconsistent header parsing
https://notcve.org/view.php?id=CVE-2026-28368
27 Mar 2026 — A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unauthorized resources. • https://access.redhat.com/security/cve/CVE-2026-28368 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2026-0965 – Libssh: libssh: denial of service via improper configuration file handling
https://notcve.org/view.php?id=CVE-2026-0965
26 Mar 2026 — A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations. Se encontró una falla en libssh donde puede intentar abrir archivos arbitrarios durante el anális... • https://access.redhat.com/security/cve/CVE-2026-0965 • CWE-73: External Control of File Name or Path •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2026-0967 – Libssh: libssh: denial of service via inefficient regular expression processing
https://notcve.org/view.php?id=CVE-2026-0967
26 Mar 2026 — A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client. Se encontró una vulnerabilidad en libssh. Un atacante remoto, al controlar los archivos de configuración del cliente o los archivos known_hosts, podría cre... • https://access.redhat.com/security/cve/CVE-2026-0967 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2026-3121 – Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission
https://notcve.org/view.php?id=CVE-2026-3121
26 Mar 2026 — A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level. Se encontró un fallo en Keycloak. • https://access.redhat.com/errata/RHSA-2026:6477 • CWE-266: Incorrect Privilege Assignment •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-3190 – Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api
https://notcve.org/view.php?id=CVE-2026-3190
26 Mar 2026 — A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure. Se encontró una falla en Keycloak. • https://access.redhat.com/errata/RHSA-2026:6477 • CWE-280: Improper Handling of Insufficient Permissions or Privileges •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-4647 – Binutils: out-of-bounds read in xcoff relocation processing in gnu binutils bfd library
https://notcve.org/view.php?id=CVE-2026-4647
23 Mar 2026 — A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks. Se encontró ... • https://access.redhat.com/security/cve/CVE-2026-4647 • CWE-125: Out-of-bounds Read •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2026-3009 – Org.keycloak/keycloak-services: improper enforcement of disabled identity provider in identitybrokerservice (authentication bypass)
https://notcve.org/view.php?id=CVE-2026-3009
05 Mar 2026 — A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. Una falla de seguridad en el endpoint IdentityBrokerService.perfor... • https://access.redhat.com/errata/RHSA-2026:3947 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-31884 – Red Hat Security Advisory 2026-2800-03
https://notcve.org/view.php?id=CVE-2024-31884
17 Feb 2026 — pybind: Improper use of Pybind A new version of Red Hat build of Ceph Storage has been released. •