SB2026070912 - Multiple vulnerabilities in IBM MQ Operator and Queue manager container images
Published: July 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 44 vulnerabilities.
1) NULL pointer dereference (CVE-ID: CVE-2026-42767)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to NULL pointer dereference in CRMF EncryptedValue decryption when processing a crafted CMP response containing an EncryptedValue structure with an algorithm OID but no parameters field. A remote attacker can send a crafted CMP response to cause a denial of service.
The issue can be triggered by an attacker-controlled CMP server or a man-in-the-middle.
2) Unchecked Return Value (CVE-ID: CVE-2026-31790)
CWE-ID: CWE-252 - Unchecked Return Value
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to incorrect failure handling in RSA KEM RSASVE encapsulation when processing an attacker-supplied invalid RSA public key with EVP_PKEY_encapsulate(). A remote attacker can supply an invalid RSA public key to disclose sensitive information.
The issue affects applications using RSA/RSASVE encapsulation without validating the supplied public key first.
3) NULL pointer dereference (CVE-ID: CVE-2026-42764)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to NULL pointer dereference in QUIC server initial packet handling when processing an initial packet with an invalid or expired token. A remote attacker can send a crafted initial packet to cause a denial of service.
The issue is reachable only when address validation is disabled, such as when SSL_LISTENER_FLAG_NO_VALIDATE is used with SSL_new_listener().
4) Input validation error (CVE-ID: CVE-2026-34182)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass integrity validation.
The vulnerability exists due to improper input validation in CMS AuthEnvelopedData processing when decrypting crafted AuthEnvelopedData containers. A remote attacker can send a specially crafted CMS message to bypass integrity validation.
In some cases, if the application exposes decryption success or failure, the issue can be used as an oracle to obtain key-equivalent functionality for the content-encryption key.
5) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-45446)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to forge empty messages with arbitrary additional authenticated data.
The vulnerability exists due to incorrect tag processing in the AES-GCM-SIV and AES-SIV provider implementations when decrypting messages with empty ciphertext and supplied additional authenticated data. A remote attacker can send a crafted message with empty ciphertext and a forged tag to forge empty messages with arbitrary additional authenticated data.
The issue is reachable only in applications that implement their own protocol with the EVP interface and skip the ciphertext update when a message with empty ciphertext arrives.
6) Out-of-bounds read (CVE-ID: CVE-2026-34180)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to integer truncation in the ASN.1 decoder when parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length. A remote attacker can supply crafted ASN.1 input to disclose sensitive information.
The issue affects only 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected.
7) Improper privilege management (CVE-ID: CVE-2026-3621)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to escalate privileges.
The vulnerability occurs when an application is deployed without authentication and authorization configured. A remote user can escalate privileges.
8) Improper Certificate Validation (CVE-ID: CVE-2026-42769)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to replace the root CA certificate trusted by CMP clients.
The vulnerability exists due to improper certificate validation in OSSL_CMP_get1_rootCaKeyUpdate() when processing id-it-rootCaKeyUpdate CMP messages. A remote user can send a crafted CMP root CA key update message to replace the root CA certificate trusted by CMP clients.
Exploitation requires credentials that satisfy the CMP message protection checks.
9) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-34183)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled memory allocation in the QUIC PATH_CHALLENGE handler when processing floods of PATH_CHALLENGE frames. A remote attacker can send a flood of PATH_CHALLENGE frames to cause a denial of service.
The issue affects applications acting as a QUIC client or server.
10) Improper Initialization (CVE-ID: CVE-2026-45445)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to forge arbitrary ciphertext.
The vulnerability exists due to improper initialization in the AES-OCB EVP_Cipher() one-shot path when processing AES-OCB operations through the public EVP_Cipher() interface. A local user can invoke the one-shot API on an AES-OCB context to forge arbitrary ciphertext.
Only applications that combine AES-OCB with the EVP_Cipher() one-shot API are affected; applications using the documented streaming AEAD API are not affected.
11) Improper input validation (CVE-ID: CVE-2026-34282)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
12) Prototype pollution (CVE-ID: CVE-2026-42033)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to tamper with JSON responses and disclose sensitive information.
The vulnerability exists due to prototype pollution in parseReviver handling in the transformResponse functionality when processing JSON responses in a process where Object.prototype has been polluted by a co-dependency. A remote attacker can pollute Object.prototype.parseReviver to tamper with JSON responses and disclose sensitive information.
This issue affects the parseReviver gadget and requires a separate source of prototype pollution in the same process.
13) Improper input validation (CVE-ID: CVE-2026-22016)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
14) Integer overflow (CVE-ID: CVE-2026-23865)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to integer overflow within the tt_var_load_item_variation_store() function when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. A remote attacker can trick the victim into opening a specially crafted file, trigger an integer overflow and read memory contents on the system.
15) Improper input validation (CVE-ID: CVE-2026-22021)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
16) Improper input validation (CVE-ID: CVE-2026-22013)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JGSS component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
17) Improper input validation (CVE-ID: CVE-2026-22018)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
18) Improper input validation (CVE-ID: CVE-2026-22008)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Libraries component in Oracle Java SE. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
19) Improper input validation (CVE-ID: CVE-2026-34268)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A local non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
20) Improper input validation (CVE-ID: CVE-2026-22007)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A local non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
21) Out-of-bounds read (CVE-ID: CVE-2026-6918)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in Message::deserialize() and MessageBuffer::readData() when processing a crafted TCP message containing an attacker-controlled DataDescriptor._size value. A remote attacker can send a specially crafted TCP message to cause a denial of service.
The issue occurs before protocol-level validation, and no authentication, encryption, or valid JIT compilation request is required. Deployments running without TLS client authentication are affected by default.
22) Input validation error (CVE-ID: CVE-2026-42770)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to recover the victim's private key.
The vulnerability exists due to improper input validation in EVP_PKEY_derive_set_peer() when validating a DHX (X9.42) peer key using the peer-supplied q parameter for subgroup membership checks. A remote attacker can present a forged DHX peer key to recover the victim's private key.
The realistic attack surface is narrow and is principally limited to deployments using long-lived X9.42 DHX static keys with interactive protocols.
23) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-42034)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the HTTP adapter native http/https transport path when sending streamed request bodies with maxRedirects set to 0. A remote attacker can send an oversized streamed upload to cause a denial of service.
The issue affects only stream request bodies; buffered request bodies and requests using default or nonzero redirect handling follow different enforcement paths.
24) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-62718)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to conduct server-side request forgery and disclose sensitive information.
The vulnerability exists due to improper hostname normalization in NO_PROXY rule evaluation when processing attacker-controlled request URLs. A remote attacker can supply a crafted URL using forms such as localhost. or [::1] to conduct server-side request forgery and disclose sensitive information.
Applications that rely on NO_PROXY entries for loopback or internal services are affected.
25) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-42036)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the HTTP adapter streamed response handling when processing responses with responseType: 'stream' and enforcing maxContentLength. A remote attacker can send a specially crafted oversized response to cause a denial of service.
The issue affects Node.js applications that rely on maxContentLength as a safety boundary while using streamed Axios responses.
26) CRLF injection (CVE-ID: CVE-2026-42037)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary multipart part headers.
The vulnerability exists due to improper neutralization of CRLF sequences in FormDataPart constructor in lib/helpers/formDataToStream.js when processing Blob/File-like object MIME types in multipart form-data generation. A remote attacker can supply a specially crafted blob.type value to inject arbitrary multipart part headers.
This issue is reachable through the public axios FormData posting API in Node.js environments that accept attacker-controlled file metadata and relay it downstream.
27) Improper access control (CVE-ID: CVE-2026-42038)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in shouldBypassProxy() when processing URLs against no_proxy rules. A remote attacker can supply a URL using an IP alias instead of the hostname to disclose sensitive information.
In server-side environments, requests intended to bypass proxies can instead be routed through an attacker-controlled proxy. This can affect access to internal or cloud metadata services.
28) Uncontrolled Recursion (CVE-ID: CVE-2026-42039)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled recursion in toFormData in lib/helpers/toFormData.js when processing deeply nested request data or params objects. A remote attacker can send a deeply nested object to cause a denial of service.
The issue can be reached in server-side code that forwards client-controlled objects into axios request data or params, and may terminate the running request handler or process with a RangeError.
29) Null Byte Interaction Error (Poison Null Byte) (CVE-ID: CVE-2026-42040)
CWE-ID: CWE-626 - Null Byte Interaction Error (Poison Null Byte)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to inject raw null bytes into serialized URL query parameters.
The vulnerability exists due to null byte interaction error in lib/helpers/AxiosURLSearchParams.js encode() function when serializing parameters through AxiosURLSearchParams.toString() without an encoder or through custom paramsSerializer delegation. A remote attacker can supply crafted input containing null bytes to inject raw null bytes into serialized URL query parameters.
The standard axios request flow using buildURL is not affected, and exploitation is limited to direct AxiosURLSearchParams usage or custom serializer paths that delegate to the internal encoder.
30) Prototype pollution (CVE-ID: CVE-2026-42041)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass application-level authentication checks and suppress HTTP error handling.
The vulnerability exists due to improperly controlled modification of object prototype attributes ('prototype pollution') in lib/core/mergeConfig.js and lib/core/settle.js when merging request configuration after Object.prototype has been polluted with a crafted validateStatus property. A remote attacker can pollute Object.prototype.validateStatus with a function that always returns true to bypass application-level authentication checks and suppress HTTP error handling.
Exploitation requires chaining with an existing prototype pollution condition elsewhere in the application stack.
31) Permissive List of Allowed Inputs (CVE-ID: CVE-2026-42042)
CWE-ID: CWE-183 - Permissive List of Allowed Inputs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information and bypass CSRF protections.
The vulnerability exists due to permissive list of allowed inputs in lib/helpers/resolveConfig.js when processing the withXSRFToken config property during browser requests. A remote attacker can pollute Object.prototype.withXSRFToken with a truthy non-boolean value or rely on a misconfigured truthy non-boolean value to disclose sensitive information and bypass CSRF protections.
User interaction is required, and the issue affects browser environments where the XSRF logic runs only when hasStandardBrowserEnv is true.
32) Permissive List of Allowed Inputs (CVE-ID: CVE-2026-42043)
CWE-ID: CWE-183 - Permissive List of Allowed Inputs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass proxy restrictions and disclose sensitive information.
The vulnerability exists due to permissive list of allowed inputs in lib/helpers/shouldBypassProxy.js when processing Axios requests to loopback addresses in the 127.0.0.0/8 range. A remote attacker can influence the target URL to bypass proxy restrictions and disclose sensitive information.
Exploitation requires the application to use proxy environment variables and rely on NO_PROXY rules to protect loopback services.
33) Prototype pollution (CVE-ID: CVE-2026-42044)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to tamper with JSON API responses.
The vulnerability exists due to prototype pollution in parseReviver in lib/defaults/index.js when parsing JSON responses. A remote attacker can pollute Object.prototype.parseReviver via another vulnerable library in the dependency tree to tamper with JSON API responses.
Exploitation requires a separate prototype pollution source in the application's dependency tree.
34) HTTP response splitting (CVE-ID: CVE-2026-42035)
CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary HTTP headers into outgoing requests.
The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in lib/adapters/http.js when processing data payloads in HTTP requests after a polluted object prototype causes plain objects to be treated as FormData instances. A remote attacker can pollute Object.prototype so that an attacker-controlled getHeaders() function is invoked to inject arbitrary HTTP headers into outgoing requests.
Exploitation requires a prototype pollution primitive somewhere in the application's dependency chain and the application must use Axios to send requests with a data payload such as POST, PUT, or PATCH.
35) Information disclosure (CVE-ID: CVE-2026-40895)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the redirect handling logic in index.js when following cross-domain redirects. A remote attacker can cause a request to be redirected to an attacker-controlled domain to disclose sensitive information.
Custom authentication headers such as API keys or auth tokens may be forwarded to the redirect target, while only authorization, proxy-authorization, and cookie headers are stripped.
36) NULL pointer dereference (CVE-ID: CVE-2026-42766)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to NULL pointer dereference in password-based CMS decryption when processing a specially crafted CMS message with an absent PasswordRecipientInfo.keyDerivationAlgorithm field. A remote attacker can send a specially crafted CMS message to cause a denial of service.
Applications that process password-encrypted CMS messages may be affected.
37) Heap-based buffer overflow (CVE-ID: CVE-2026-7383)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in ASN1_mbstring_copy() and ASN1_mbstring_ncopy() when converting attacker-controlled multibyte strings to Unicode output. A local user can supply extremely large crafted input to execute arbitrary code.
Triggering the issue requires direct use of ASN1_mbstring_copy() or ASN1_mbstring_ncopy(), or a custom string type registered via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more.
38) Prototype pollution (CVE-ID: CVE-2026-42264)
CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject credentials and hijack requests.
The vulnerability exists due to improperly controlled modification of object prototype attributes in the HTTP adapter when reading configuration properties via direct property access from polluted prototypes. A remote attacker can pollute Object.prototype through another dependency in the same process to inject credentials and hijack requests.
Exploitation requires prototype pollution by another dependency in the same process, and requests using relative URLs can be redirected to an attacker-controlled server.
39) Heap-based buffer overflow (CVE-ID: CVE-2024-34459)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when parsing XML data. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and perform a denial of service (DoS) attack.
40) Use-after-free (CVE-ID: CVE-2026-45447)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the PKCS7_verify() function when processing a specially crafted PKCS#7 or S/MIME signed message during PKCS#7 signature verification. A remote attacker can send a specially crafted signed message to execute arbitrary code.
Applications using the CMS APIs for this processing are not affected.
41) Stack-based buffer overflow (CVE-ID: CVE-2025-13151)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error within the asn1_expend_octet_string() function. A remote attacker can pass specially crafted certificate to the application, trigger a stack-based buffer overflow and perform a denial of service attack..
42) Out-of-bounds read (CVE-ID: CVE-2026-9076)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in kek_unwrap_key() when processing attacker-supplied CMS password-based decryption data with a stream-mode KEK cipher. A remote attacker can send a specially crafted CMS message to cause a denial of service.
No password knowledge is required because the over-read occurs during the unwrap attempt before authentication succeeds.
43) Observable discrepancy (CVE-ID: CVE-2026-42768)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to decrypt or sign messages with the victim's private RSA key.
The vulnerability exists due to observable discrepancy in error handling in CMS_decrypt() and PKCS7_decrypt() when processing attacker-supplied CMS or S/MIME messages and exposing decryption errors or output differences. A remote attacker can send crafted messages and observe the application's responses to decrypt or sign messages with the victim's private RSA key.
The attack requires the application to expose the error code and/or decryption output in a way that can be observed by the attacker.
44) Input validation error (CVE-ID: CVE-2026-34181)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to impersonate a user.
The vulnerability exists due to improper input validation in PKCS#12 file processing for PBMAC1 integrity verification when processing unencrypted PKCS#12 files with a one-byte HMAC key. A remote attacker can submit a crafted PKCS#12 file to impersonate a user.
The forged file is accepted with a 1 in 256 probability.
Remediation
Install update from vendor's website.