3.6 - Security fixes
3.6.3-funcrel
Fixes provided
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| admin-center | CVE-2026-41284 | HIGH | Apache Tomcat: Allocation of Resources Without Limits or Throttling vulnerability | 3.6.2-funcrel |
| admin-center | CVE-2026-41293 | CRITICAL | Apache Tomcat: Improper Input Validation vulnerability in Apache Tomcat | 3.6.2-funcrel |
| admin-center | CVE-2026-42498 | HIGH | Apache Tomcat: Exposure of HTTP Authentication Header to unexpected hosts during WebSocket redirect | 3.6.2-funcrel |
| admin-center | CVE-2026-43512 | CRITICAL | Apache Tomcat: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication | 3.6.2-funcrel |
| admin-center | CVE-2026-43513 | HIGH | Apache Tomcat: Improper Handling of Case Sensitivity vulnerability in LockOutRealm | 3.6.2-funcrel |
| admin-center | CVE-2026-43515 | CRITICAL | Apache Tomcat: Improper Authorization vulnerability when multiple method constraints | 3.6.2-funcrel |
| console | CVE-2026-41284 | HIGH | Apache Tomcat: Allocation of Resources Without Limits or Throttling vulnerability | 3.6.2-funcrel |
| console | CVE-2026-41293 | CRITICAL | Apache Tomcat: Improper Input Validation vulnerability in Apache Tomcat | 3.6.2-funcrel |
| console | CVE-2026-42498 | HIGH | Apache Tomcat: Exposure of HTTP Authentication Header to unexpected hosts during WebSocket redirect | 3.6.2-funcrel |
| console | CVE-2026-43512 | CRITICAL | Apache Tomcat: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication | 3.6.2-funcrel |
| console | CVE-2026-43513 | HIGH | Apache Tomcat: Improper Handling of Case Sensitivity vulnerability in LockOutRealm | 3.6.2-funcrel |
| console | CVE-2026-43515 | CRITICAL | Apache Tomcat: Improper Authorization vulnerability when multiple method constraints | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-33811 | HIGH | golang: When using LookupCNAME with the cgo DNS resolver, a very long CNAME re … | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-33814 | HIGH | golang: When processing HTTP/2 SETTINGS frames, transport will enter an infini … | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-39820 | HIGH | golang: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse … | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-39823 | HIGH | golang: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly … | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-39825 | HIGH | golang: ReverseProxy can forward queries containing parameters not visible to … | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-39826 | HIGH | golang: If a trusted template author were to write a script tag containing a … | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-39836 | HIGH | golang: Panic in Dial and LookupPort when handling NUL byte on Windows in net | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-40973 | HIGH | Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-41284 | HIGH | Apache Tomcat: Allocation of Resources Without Limits or Throttling vulnerability | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-41293 | CRITICAL | Apache Tomcat: Improper Input Validation vulnerability in Apache Tomcat | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-42198 | HIGH | pgjdbc: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-42498 | HIGH | Apache Tomcat: Exposure of HTTP Authentication Header to unexpected hosts during WebSocket redirect | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-42499 | HIGH | golang: Pathological inputs could cause DoS through consumePhrase when parsing … | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-43512 | CRITICAL | Apache Tomcat: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-43513 | HIGH | Apache Tomcat: Improper Handling of Case Sensitivity vulnerability in LockOutRealm | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-43515 | CRITICAL | Apache Tomcat: Improper Authorization vulnerability when multiple method constraints | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-5598 | HIGH | bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons | 3.6.2-funcrel |
| etl-service | CVE-2026-33811 | HIGH | golang: When using LookupCNAME with the cgo DNS resolver, a very long CNAME re … | 3.6.2-funcrel |
| etl-service | CVE-2026-33814 | HIGH | golang: When processing HTTP/2 SETTINGS frames, transport will enter an infini … | 3.6.2-funcrel |
| etl-service | CVE-2026-39820 | HIGH | golang: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse … | 3.6.2-funcrel |
| etl-service | CVE-2026-39823 | HIGH | golang: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly … | 3.6.2-funcrel |
| etl-service | CVE-2026-39825 | HIGH | golang: ReverseProxy can forward queries containing parameters not visible to … | 3.6.2-funcrel |
| etl-service | CVE-2026-39826 | HIGH | golang: If a trusted template author were to write a script tag containing a … | 3.6.2-funcrel |
| etl-service | CVE-2026-39836 | HIGH | golang: Panic in Dial and LookupPort when handling NUL byte on Windows in net | 3.6.2-funcrel |
| etl-service | CVE-2026-42499 | HIGH | golang: Pathological inputs could cause DoS through consumePhrase when parsing … | 3.6.2-funcrel |
| gateway | CVE-2026-41284 | HIGH | Apache Tomcat: Allocation of Resources Without Limits or Throttling vulnerability | 3.6.2-funcrel |
| gateway | CVE-2026-41293 | CRITICAL | Apache Tomcat: Improper Input Validation vulnerability in Apache Tomcat | 3.6.2-funcrel |
| gateway | CVE-2026-42498 | HIGH | Apache Tomcat: Exposure of HTTP Authentication Header to unexpected hosts during WebSocket redirect | 3.6.2-funcrel |
| gateway | CVE-2026-43512 | CRITICAL | Apache Tomcat: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication | 3.6.2-funcrel |
| gateway | CVE-2026-43513 | HIGH | Apache Tomcat: Improper Handling of Case Sensitivity vulnerability in LockOutRealm | 3.6.2-funcrel |
| gateway | CVE-2026-43515 | CRITICAL | Apache Tomcat: Improper Authorization vulnerability when multiple method constraints | 3.6.2-funcrel |
| neo4j | CVE-2026-33811 | HIGH | golang: When using LookupCNAME with the cgo DNS resolver, a very long CNAME re … | 3.6.2-funcrel |
| neo4j | CVE-2026-33814 | HIGH | golang: When processing HTTP/2 SETTINGS frames, transport will enter an infini … | 3.6.2-funcrel |
| neo4j | CVE-2026-39820 | HIGH | golang: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse … | 3.6.2-funcrel |
| neo4j | CVE-2026-39823 | HIGH | golang: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly … | 3.6.2-funcrel |
| neo4j | CVE-2026-39825 | HIGH | golang: ReverseProxy can forward queries containing parameters not visible to … | 3.6.2-funcrel |
| neo4j | CVE-2026-39826 | HIGH | golang: If a trusted template author were to write a script tag containing a … | 3.6.2-funcrel |
| neo4j | CVE-2026-39836 | HIGH | golang: Panic in Dial and LookupPort when handling NUL byte on Windows in net | 3.6.2-funcrel |
| neo4j | CVE-2026-42499 | HIGH | golang: Pathological inputs could cause DoS through consumePhrase when parsing … | 3.6.2-funcrel |
| sso-service | CVE-2026-42579 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.2-funcrel |
| sso-service | CVE-2026-4878 | HIGH | libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file() | 3.6.2-funcrel |
| viewer | CVE-2026-33811 | HIGH | golang: When using LookupCNAME with the cgo DNS resolver, a very long CNAME re … | 3.6.2-funcrel |
| viewer | CVE-2026-33814 | HIGH | golang: When processing HTTP/2 SETTINGS frames, transport will enter an infini … | 3.6.2-funcrel |
| viewer | CVE-2026-39820 | HIGH | golang: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse … | 3.6.2-funcrel |
| viewer | CVE-2026-39823 | HIGH | golang: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly … | 3.6.2-funcrel |
| viewer | CVE-2026-39825 | HIGH | golang: ReverseProxy can forward queries containing parameters not visible to … | 3.6.2-funcrel |
| viewer | CVE-2026-39826 | HIGH | golang: If a trusted template author were to write a script tag containing a … | 3.6.2-funcrel |
| viewer | CVE-2026-39836 | HIGH | golang: Panic in Dial and LookupPort when handling NUL byte on Windows in net | 3.6.2-funcrel |
| viewer | CVE-2026-42499 | HIGH | golang: Pathological inputs could cause DoS through consumePhrase when parsing … | 3.6.2-funcrel |
Known security issues (not yet fixed)
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| ai-service | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.3-funcrel |
| ai-service | CVE-2026-44843 | HIGH | LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad load() allowlists | 3.6.3-funcrel |
| ai-service | CVE-2026-45134 | HIGH | LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning | 3.6.3-funcrel |
| ai-service | CVE-2025-14920 | HIGH | transformers: HuggingFace Transformers Perceiver Model: Deserialization of untrusted data allows remote code execution via malicious model files | 3.6.3-funcrel |
| ai-service | CVE-2025-14921 | HIGH | transformers: HuggingFace Transformers Transformer-XL Model: Deserialization of untrusted data allows remote code execution via malicious model files | 3.6.3-funcrel |
| ai-service | CVE-2025-14924 | HIGH | transformers: HuggingFace Transformers megatron_gpt2: Deserialization of untrusted data allows remote code execution via malicious checkpoint files | 3.6.3-funcrel |
| ai-service | CVE-2025-14926 | HIGH | transformers: HuggingFace Transformers SEW convert_config: Code injection allows remote code execution via malicious checkpoint | 3.6.3-funcrel |
| ai-service | CVE-2025-14927 | HIGH | transformers: HuggingFace Transformers SEW-D convert_config: Code injection allows remote code execution via malicious checkpoint | 3.6.3-funcrel |
| ai-service | CVE-2025-14928 | HIGH | transformers: HuggingFace Transformers HuBERT convert_config: Code injection allows remote code execution via malicious checkpoint | 3.6.3-funcrel |
| ai-service | CVE-2025-14929 | HIGH | transformers: HuggingFace Transformers X-CLIP: Deserialization of untrusted data allows remote code execution via malicious checkpoint | 3.6.3-funcrel |
| ai-service | CVE-2025-14930 | HIGH | transformers: HuggingFace Transformers GLM4: Deserialization of untrusted data allows remote code execution via malicious model weights | 3.6.3-funcrel |
| ai-service | CVE-2025-15281 | HIGH | glibc: wordexp with WRDE_REUSE + WRDE_APPEND may return uninitialized memory in we_wordv, causing wordfree to abort | 3.6.3-funcrel |
| ai-service | CVE-2025-66959 | HIGH | ollama: Security vulnerabilities in Ollama Python client | 3.6.3-funcrel |
| ai-service | CVE-2025-66960 | HIGH | ollama: Security vulnerabilities in Ollama Python client | 3.6.3-funcrel |
| ai-service | CVE-2026-0861 | HIGH | glibc: Integer overflow in memalign leads to heap corruption | 3.6.3-funcrel |
| ai-service | CVE-2026-0915 | HIGH | glibc: getnetbyaddr_r with DNS backend and zero-valued network address can leak stack contents to the DNS resolver | 3.6.3-funcrel |
| ai-service | CVE-2026-25087 | HIGH | pyarrow: Apache Arrow pyarrow: Memory safety vulnerability | 3.6.3-funcrel |
| analysis-node | CVE-2025-26646 | HIGH | dotnet: ELSA-2025-7601: .NET 9.0 security update (IMPORTANT) | 3.6.3_core8.4.10 |
| analysis-node | CVE-2025-55247 | HIGH | dotnet: ELSA-2025-18153: .NET 9.0 security update (IMPORTANT) | 3.6.3_core8.4.10 |
| analysis-node | CVE-2025-67030 | HIGH | org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method | 3.6.3_core8.4.10 |
| analysis-node | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.3_core8.4.10 |
| analysis-node | CVE-2026-23949 | HIGH | jaraco.context: jaraco.context: Path traversal via malicious tar archives | 3.6.3_core8.4.10 |
| analysis-node | CVE-2026-24049 | HIGH | wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking | 3.6.3_core8.4.10 |
| analysis-node | CVE-2026-26171 | HIGH | dotnet: .NET: Security Bypass and Denial of Service Vulnerability | 3.6.3_core8.4.10 |
| analysis-node | CVE-2026-33116 | HIGH | dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform | 3.6.3_core8.4.10 |
| analysis-node | CVE-2026-42198 | HIGH | pgjdbc: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication | 3.6.3_core8.4.10 |
| analysis-node | CVE-2026-44431 | HIGH | urllib3: urllib3: Information disclosure via cross-origin redirects forwarding sensitive headers | 3.6.3_core8.4.10 |
| analysis-node | CVE-2026-44432 | HIGH | urllib3: urllib3: Denial of Service due to excessive HTTP response decompression | 3.6.3_core8.4.10 |
| imaging-apis | CVE-2025-22868 | HIGH | An attacker can pass a malicious malformed token which causes unexpected … | 3.6.3-funcrel |
| imaging-apis | CVE-2026-32316 | HIGH | jq: An integer overflow vulnerability exists through version 1.8.1 | 3.6.3-funcrel |
| imaging-apis | CVE-2026-5773 | HIGH | curl: libcurl may reuse wrong connection for SMB(S) transfers, leading to download of wrong file or upload to wrong place | 3.6.3-funcrel |
| imaging-apis | CVE-2026-6276 | HIGH | curl: libcurl leaks cookies to second request when custom Host header is removed from a reused easy handle | 3.6.3-funcrel |
| etl-service | CVE-2026-32316 | HIGH | jq: An integer overflow vulnerability exists through version 1.8.1 | 3.6.3-funcrel |
| etl-service | CVE-2026-35385 | HIGH | openssh: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid | 3.6.3-funcrel |
| etl-service | CVE-2026-5773 | HIGH | curl: libcurl may reuse wrong connection for SMB(S) transfers, leading to download of wrong file or upload to wrong place | 3.6.3-funcrel |
| etl-service | CVE-2026-6276 | HIGH | curl: libcurl leaks cookies to second request when custom Host header is removed from a reused easy handle | 3.6.3-funcrel |
| neo4j | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.3-funcrel |
| neo4j | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.6.3-funcrel |
| neo4j | GHSA-72hv-8253-57qq | HIGH | jackson-core: The non-blocking (async) JSON parser bypasses the maxNumberLength constraint | 3.6.3-funcrel |
| neo4j | CVE-2026-42577 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.3-funcrel |
| neo4j | CVE-2026-42579 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.3-funcrel |
| neo4j | CVE-2026-42582 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.3-funcrel |
| neo4j | CVE-2026-42583 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.3-funcrel |
| neo4j | CVE-2026-42584 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.3-funcrel |
| neo4j | CVE-2026-42587 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.3-funcrel |
| neo4j | CVE-2025-15281 | HIGH | glibc: wordexp with WRDE_REUSE + WRDE_APPEND may return uninitialized memory in we_wordv, causing wordfree to abort | 3.6.3-funcrel |
| neo4j | CVE-2026-0861 | HIGH | glibc: Integer overflow in memalign leads to heap corruption | 3.6.3-funcrel |
| neo4j | CVE-2026-0915 | HIGH | glibc: getnetbyaddr_r with DNS backend and zero-valued network address can leak stack contents to the DNS resolver | 3.6.3-funcrel |
| sso-service | CVE-2025-59250 | HIGH | JDBC Driver for SQL Server has improper input validation issue | 3.6.3-funcrel |
| sso-service | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.3-funcrel |
| viewer | CVE-2025-22868 | HIGH | An attacker can pass a malicious malformed token which causes unexpected … | 3.6.3-funcrel |
SSO Service: CVE-2025-59250 is a false positive - the installed library is 13.2.1; Trivy expects 13.2.1.jre. They are the same library. CVE-2025-69720 requires fixing in the base Keycloak image.
Regarding Netty CVE-2026-42581 that some tools may report against SSO Service: this CVE is only exploitable if Keycloak is behind a reverse proxy that is “content-length first” and accepts HTTP/1.0 requests. In direct connection, this is not exploitable.
Analysis node: Only Java and Python vulnerabilities will be fixed in the next CAST Imaging Core 8.4.11 release.
Following CVEs were marked as “Not Affected”:
- CVE-2025-26646 (Microsoft.Build.Tasks.Core):
--no-restoreskips the NuGet restore pipeline where this CVE lives. - CVE-2025-55247 (Microsoft.Build.Tasks.Core): MSBuild input comes exclusively from CAST’s own tooling — no external input.
- CVE-2025-67030 (plexus-utils): The vulnerable code path is never invoked at runtime.
- CVE-2026-24049 (wheel): wheel is a build-time tool only — not used at runtime.
- CVE-2026-26171 (System.Security.Cryptography.Xml): Not loaded during any runtime code path.
- CVE-2026-33116 (System.Security.Cryptography.Xml): Same as CVE-2026-26171.
- CVE-2026-42198 (pgjdbc): Exploitation requires an attacker to control the PostgreSQL server, which is the customer’s own trusted database.
- CVE-2026-44431 (urllib3): Not used in any production code path.
- CVE-2026-44432 (urllib3): Same as CVE-2026-44431.
Following CVEs are OS-level — waiting for fix from OS vendor:
- CVE-2025-69720 (ncurses): Debian NODSA.
3.6.2-funcrel
Fixes provided
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| admin-center | CVE-2026-40466 | HIGH | org.apache.activemq: Apache ActiveMQ: Arbitrary code execution via improper input validation in HTTP Discovery transport | 3.6.1-funcrel |
| admin-center | CVE-2026-40982 | CRITICAL | Spring Cloud Config vulnerable to Path Traversal | 3.6.1-funcrel |
| admin-center | CVE-2026-41002 | HIGH | Spring Cloud Config Server Susceptible To TOCTOU Attack | 3.6.1-funcrel |
| admin-center | CVE-2026-41044 | HIGH | org.apache.activemq: Apache ActiveMQ: Arbitrary code execution via improper input validation in admin console | 3.6.1-funcrel |
| admin-center | CVE-2026-42198 | HIGH | jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication | 3.6.1-funcrel |
| admin-center | CVE-2026-42579 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| admin-center | CVE-2026-42583 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| admin-center | CVE-2026-42584 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| admin-center | CVE-2026-42587 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| ai-service | CVE-2026-44431 | HIGH | urllib3: urllib3 is an HTTP client library for Python. From 1.23 to before 2.7. … | 3.6.1-funcrel |
| ai-service | CVE-2026-44432 | HIGH | urllib3: urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7 … | 3.6.1-funcrel |
| analysis-node | CVE-2026-34982 | HIGH | vim: arbitrary command execution via modeline sandbox bypass | 3.6.1-funcrel_core8.4.10 |
| analysis-node | CVE-2026-35535 | HIGH | sudo: Sudo: Privilege escalation due to failure in privilege drop calls | 3.6.1-funcrel_core8.4.10 |
| analysis-node | CVE-2026-40355 | HIGH | krb5: MIT Kerberos 5: Denial of Service via NULL pointer dereference in NegoEx mechanism | 3.6.1-funcrel_core8.4.10 |
| analysis-node | CVE-2026-40356 | HIGH | krb5: MIT Kerberos 5: Denial of Service via integer underflow and out-of-bounds read | 3.6.1-funcrel_core8.4.10 |
| analysis-node | CVE-2026-41035 | HIGH | rsync: Rsync: Use-after-free vulnerability in extended attribute handling | 3.6.1-funcrel_core8.4.10 |
| analysis-node | CVE-2026-41066 | HIGH | lxml: lxml: Information disclosure via untrusted XML input leading to local file read | 3.6.1-funcrel_core8.4.10 |
| analysis-node | CVE-2026-4775 | HIGH | libtiff: libtiff: Arbitrary code execution or denial of service via signed integer overflow in TIFF file processing | 3.6.1-funcrel_core8.4.10 |
| auth-service | CVE-2026-42579 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| auth-service | CVE-2026-42583 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| auth-service | CVE-2026-42584 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| auth-service | CVE-2026-42587 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| console | CVE-2026-42198 | HIGH | jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication | 3.6.1-funcrel |
| gateway | CVE-2026-42579 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| gateway | CVE-2026-42583 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| gateway | CVE-2026-42584 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| gateway | CVE-2026-42587 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| imaging-apis | CVE-2026-33811 | HIGH | golang: When using LookupCNAME with the cgo DNS resolver, a very long CNAME re … | 3.6.1-funcrel |
| imaging-apis | CVE-2026-33814 | HIGH | golang: When processing HTTP/2 SETTINGS frames, transport will enter an infini … | 3.6.1-funcrel |
| imaging-apis | CVE-2026-39820 | HIGH | golang: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse … | 3.6.1-funcrel |
| imaging-apis | CVE-2026-39836 | HIGH | golang: Panic in Dial and LookupPort when handling NUL byte on Windows in net | 3.6.1-funcrel |
| imaging-apis | CVE-2026-42499 | HIGH | golang: Pathological inputs could cause DoS through consumePhrase when parsing … | 3.6.1-funcrel |
| neo4j | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.6.1-funcrel |
| neo4j | CVE-2026-4878 | HIGH | libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file() | 3.6.1-funcrel |
| sso-service | CVE-2026-2603 | HIGH | keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider | 3.6.1-funcrel |
| sso-service | CVE-2026-39852 | HIGH | io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests | 3.6.1-funcrel |
| sso-service | CVE-2026-42198 | HIGH | jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication | 3.6.1-funcrel |
| sso-service | CVE-2026-42583 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| sso-service | CVE-2026-42584 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| sso-service | CVE-2026-42587 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.1-funcrel |
| sso-service | CVE-2026-5598 | HIGH | bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons | 3.6.1-funcrel |
Known security issues (not yet fixed)
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| admin-center | CVE-2026-41284 | HIGH | Apache Tomcat: Allocation of Resources Without Limits or Throttling vulnerability | 3.6.2-funcrel |
| admin-center | CVE-2026-41293 | CRITICAL | Apache Tomcat: Improper Input Validation vulnerability in Apache Tomcat | 3.6.2-funcrel |
| admin-center | CVE-2026-42498 | HIGH | Apache Tomcat: Exposure of HTTP Authentication Header to unexpected hosts during WebSocket redirect | 3.6.2-funcrel |
| admin-center | CVE-2026-43512 | CRITICAL | Apache Tomcat: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication | 3.6.2-funcrel |
| admin-center | CVE-2026-43513 | HIGH | Apache Tomcat: Improper Handling of Case Sensitivity vulnerability in LockOutRealm | 3.6.2-funcrel |
| ai-service | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.2-funcrel |
| ai-service | CVE-2026-44843 | HIGH | LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad load() allowlists | 3.6.2-funcrel |
| ai-service | CVE-2026-45134 | HIGH | LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning | 3.6.2-funcrel |
| analysis-node | CVE-2025-26646 | HIGH | dotnet: .NET and Visual Studio Spoofing Vulnerability | 3.6.2-funcrel_core8.4.10 |
| analysis-node | CVE-2025-55247 | HIGH | dotnet: .NET Denial of Service Vulnerability | 3.6.2-funcrel_core8.4.10 |
| analysis-node | CVE-2025-67030 | HIGH | org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method | 3.6.2-funcrel_core8.4.10 |
| analysis-node | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.2-funcrel_core8.4.10 |
| analysis-node | CVE-2026-23949 | HIGH | jaraco.context: jaraco.context: Path traversal via malicious tar archives | 3.6.2-funcrel_core8.4.10 |
| analysis-node | CVE-2026-24049 | HIGH | wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking | 3.6.2-funcrel_core8.4.10 |
| analysis-node | CVE-2026-26171 | HIGH | dotnet: .NET: Security Bypass and Denial of Service Vulnerability | 3.6.2-funcrel_core8.4.10 |
| analysis-node | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.6.2-funcrel_core8.4.10 |
| analysis-node | CVE-2026-33116 | HIGH | dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform | 3.6.2-funcrel_core8.4.10 |
| analysis-node | CVE-2026-44431 | HIGH | urllib3: urllib3: Information disclosure via cross-origin redirects forwarding sensitive headers | 3.6.2-funcrel_core8.4.10 |
| analysis-node | CVE-2026-44432 | HIGH | urllib3: urllib3: Denial of Service due to excessive HTTP response decompression | 3.6.2-funcrel_core8.4.10 |
| analysis-node | CVE-2026-4878 | HIGH | libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file() | 3.6.2-funcrel_core8.4.10 |
| console | CVE-2026-41284 | HIGH | Apache Tomcat: Allocation of Resources Without Limits or Throttling vulnerability | 3.6.2-funcrel |
| console | CVE-2026-41293 | CRITICAL | Apache Tomcat: Improper Input Validation vulnerability in Apache Tomcat | 3.6.2-funcrel |
| console | CVE-2026-42498 | HIGH | Apache Tomcat: Exposure of HTTP Authentication Header to unexpected hosts during WebSocket redirect | 3.6.2-funcrel |
| console | CVE-2026-43512 | CRITICAL | Apache Tomcat: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication | 3.6.2-funcrel |
| console | CVE-2026-43513 | HIGH | Apache Tomcat: Improper Handling of Case Sensitivity vulnerability in LockOutRealm | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-33811 | HIGH | golang: When using LookupCNAME with the cgo DNS resolver, a very long CNAME re … | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-33814 | HIGH | golang: When processing HTTP/2 SETTINGS frames, transport will enter an infini … | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-39820 | HIGH | golang: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse … | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-39836 | HIGH | golang: Panic in Dial and LookupPort when handling NUL byte on Windows in net | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-40973 | HIGH | Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-41284 | HIGH | Apache Tomcat: Allocation of Resources Without Limits or Throttling vulnerability | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-41293 | CRITICAL | Apache Tomcat: Improper Input Validation vulnerability in Apache Tomcat | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-42198 | HIGH | jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-42498 | HIGH | Apache Tomcat: Exposure of HTTP Authentication Header to unexpected hosts during WebSocket redirect | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-42499 | HIGH | golang: Pathological inputs could cause DoS through consumePhrase when parsing … | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-43512 | CRITICAL | Apache Tomcat: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-43513 | HIGH | Apache Tomcat: Improper Handling of Case Sensitivity vulnerability in LockOutRealm | 3.6.2-funcrel |
| dashboards-v3 | CVE-2026-5598 | HIGH | bouncycastle: BC-JAVA: private key leakage via non-constant time comparisons | 3.6.2-funcrel |
| etl-service | CVE-2026-33811 | HIGH | golang: When using LookupCNAME with the cgo DNS resolver, a very long CNAME re … | 3.6.2-funcrel |
| etl-service | CVE-2026-33814 | HIGH | golang: When processing HTTP/2 SETTINGS frames, transport will enter an infini … | 3.6.2-funcrel |
| etl-service | CVE-2026-39820 | HIGH | golang: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse … | 3.6.2-funcrel |
| etl-service | CVE-2026-39836 | HIGH | golang: Panic in Dial and LookupPort when handling NUL byte on Windows in net | 3.6.2-funcrel |
| etl-service | CVE-2026-42499 | HIGH | golang: Pathological inputs could cause DoS through consumePhrase when parsing … | 3.6.2-funcrel |
| gateway | CVE-2026-41284 | HIGH | Apache Tomcat: Allocation of Resources Without Limits or Throttling vulnerability | 3.6.2-funcrel |
| gateway | CVE-2026-41293 | CRITICAL | Apache Tomcat: Improper Input Validation vulnerability in Apache Tomcat | 3.6.2-funcrel |
| gateway | CVE-2026-42498 | HIGH | Apache Tomcat: Exposure of HTTP Authentication Header to unexpected hosts during WebSocket redirect | 3.6.2-funcrel |
| gateway | CVE-2026-43512 | CRITICAL | Apache Tomcat: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication | 3.6.2-funcrel |
| gateway | CVE-2026-43513 | HIGH | Apache Tomcat: Improper Handling of Case Sensitivity vulnerability in LockOutRealm | 3.6.2-funcrel |
| neo4j | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.2-funcrel |
| neo4j | CVE-2026-33811 | HIGH | golang: When using LookupCNAME with the cgo DNS resolver, a very long CNAME re … | 3.6.2-funcrel |
| neo4j | CVE-2026-33814 | HIGH | golang: When processing HTTP/2 SETTINGS frames, transport will enter an infini … | 3.6.2-funcrel |
| neo4j | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.6.2-funcrel |
| neo4j | CVE-2026-39820 | HIGH | golang: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse … | 3.6.2-funcrel |
| neo4j | CVE-2026-39836 | HIGH | golang: Panic in Dial and LookupPort when handling NUL byte on Windows in net | 3.6.2-funcrel |
| neo4j | CVE-2026-42499 | HIGH | golang: Pathological inputs could cause DoS through consumePhrase when parsing … | 3.6.2-funcrel |
| neo4j | CVE-2026-42577 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.2-funcrel |
| neo4j | CVE-2026-42579 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.2-funcrel |
| neo4j | CVE-2026-42582 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.2-funcrel |
| neo4j | CVE-2026-42583 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.2-funcrel |
| neo4j | CVE-2026-42584 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.2-funcrel |
| neo4j | CVE-2026-42587 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.2-funcrel |
| sso-service | CVE-2025-59250 | HIGH | JDBC Driver for SQL Server has improper input validation issue | 3.6.2-funcrel |
| sso-service | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.2-funcrel |
| sso-service | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.6.2-funcrel |
| sso-service | CVE-2026-42579 | HIGH | Netty: Netty is an asynchronous, event-driven network application framework. … | 3.6.2-funcrel |
| sso-service | CVE-2026-4878 | HIGH | libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file() | 3.6.2-funcrel |
| viewer | CVE-2026-33811 | HIGH | golang: When using LookupCNAME with the cgo DNS resolver, a very long CNAME re … | 3.6.2-funcrel |
| viewer | CVE-2026-33814 | HIGH | golang: When processing HTTP/2 SETTINGS frames, transport will enter an infini … | 3.6.2-funcrel |
| viewer | CVE-2026-39820 | HIGH | golang: Well-crafted inputs reaching ParseAddress, ParseAddressList, and Parse … | 3.6.2-funcrel |
| viewer | CVE-2026-39836 | HIGH | golang: Panic in Dial and LookupPort when handling NUL byte on Windows in net | 3.6.2-funcrel |
| viewer | CVE-2026-42499 | HIGH | golang: Pathological inputs could cause DoS through consumePhrase when parsing … | 3.6.2-funcrel |
SSO Service: CVE-2025-59250 is a false positive - the installed library is 13.2.1; Trivy expects 13.2.1.jre. They are the same library.
Analysis node: Only Java and Python vulnerabilities will be fixed in the next CAST Imaging Core 8.4.11 release.
Following CVEs were marked as “Not Affected”:
- CVE-2025-26646 (Microsoft.Build.Tasks.Core):
--no-restoreskips the NuGet restore pipeline where this CVE lives. - CVE-2025-55247 (Microsoft.Build.Tasks.Core): MSBuild input comes exclusively from CAST’s own tooling — no external input.
- CVE-2025-67030 (plexus-utils): The vulnerable code path is never invoked at runtime.
- CVE-2026-24049 (wheel): wheel is a build-time tool only — not used at runtime.
- CVE-2026-26171 (System.Security.Cryptography.Xml): Not loaded during any runtime code path.
- CVE-2026-33116 (System.Security.Cryptography.Xml): Same as CVE-2026-26171.
- CVE-2026-42198 (pgjdbc): Exploitation requires an attacker to control the PostgreSQL server, which is the customer’s own trusted database.
- CVE-2026-44431 (urllib3): Not used in any production code path.
- CVE-2026-44432 (urllib3): Same as CVE-2026-44431.
Following CVEs are OS-level — waiting for fix from OS vendor:
- CVE-2025-69720 (ncurses): Debian NODSA.
- CVE-2026-29111 (systemd): Debian NODSA.
3.6.1-funcrel
Fixes provided
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| ai-service | CVE-2026-23949 | HIGH | jaraco.context: jaraco.context: Path traversal via malicious tar archives | 3.6.0-funcrel |
| ai-service | CVE-2026-24049 | HIGH | wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking | 3.6.0-funcrel |
| ai-service | CVE-2026-34070 | HIGH | langchain: path traversal in legacy load_prompt functions in langchain-core | 3.6.0-funcrel |
| analysis-node | CVE-2026-27135 | HIGH | nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination | 3.6.0_core8.4.10 |
| analysis-node | CVE-2026-32178 | HIGH | dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw | 3.6.0_core8.4.10 |
| analysis-node | CVE-2026-32203 | HIGH | dotnet: .NET: Denial of Service via stack overflow | 3.6.0_core8.4.10 |
| analysis-node | CVE-2026-41066 | HIGH | lxml is a library for processing XML and HTML in the Python language. … | 3.6.0_core8.4.10 |
| analysis-node | CVE-2026-4424 | HIGH | libarchive: libarchive: Information disclosure via heap out-of-bounds read in RAR archive processing | 3.6.0_core8.4.10 |
| analysis-node | CVE-2026-5121 | HIGH | libarchive: libarchive: Arbitrary code execution via integer overflow in ISO9660 image processing | 3.6.0_core8.4.10 |
| auth-service | CVE-2026-40477 | CRITICAL | thymeleaf: Thymeleaf: Server-Side Template Injection via security bypass in expression execution | 3.6.0-funcrel |
| auth-service | CVE-2026-40478 | CRITICAL | thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass | 3.6.0-funcrel |
| dashboards-v3 | CVE-2026-29129 | HIGH | Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved | 3.6.0-funcrel |
| dashboards-v3 | CVE-2026-29145 | CRITICAL | Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration | 3.6.0-funcrel |
| dashboards-v3 | CVE-2026-34483 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve | 3.6.0-funcrel |
| dashboards-v3 | CVE-2026-34487 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files | 3.6.0-funcrel |
| etl-service | CVE-2026-32280 | HIGH | crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building | 3.6.0-funcrel |
| etl-service | CVE-2026-32281 | HIGH | crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation | 3.6.0-funcrel |
| etl-service | CVE-2026-32283 | HIGH | If one side of the TLS connection sends multiple key update messages p … | 3.6.0-funcrel |
| gateway | CVE-2026-40477 | CRITICAL | thymeleaf: Thymeleaf: Server-Side Template Injection via security bypass in expression execution | 3.6.0-funcrel |
| gateway | CVE-2026-40478 | CRITICAL | thymeleaf: Thymeleaf: Server-Side Template Injection via expression execution bypass | 3.6.0-funcrel |
| neo4j | CVE-2026-1605 | HIGH | org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests | 3.6.0-funcrel |
| neo4j | CVE-2026-2332 | HIGH | org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing | 3.6.0-funcrel |
| neo4j | CVE-2026-32280 | HIGH | crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building | 3.6.0-funcrel |
| neo4j | CVE-2026-32281 | HIGH | crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation | 3.6.0-funcrel |
| neo4j | CVE-2026-32283 | HIGH | If one side of the TLS connection sends multiple key update messages p … | 3.6.0-funcrel |
| neo4j | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.6.0-funcrel |
| sso-service | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.6.0-funcrel |
| sso-service | CVE-2026-22016 | HIGH | openjdk: OpenJDK: Enhance Path Factories Redux (Oracle CPU 2026-04) | 3.6.0-funcrel |
| sso-service | CVE-2026-22020 | HIGH | openjdk: OpenJDK: Update LibPNG (Oracle CPU 2026-04) | 3.6.0-funcrel |
| sso-service | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.6.0-funcrel |
| sso-service | CVE-2026-26740 | HIGH | giflib: giflib: Denial of Service via buffer overflow in EGifGCBToExtension | 3.6.0-funcrel |
| sso-service | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.6.0-funcrel |
| sso-service | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.6.0-funcrel |
| sso-service | CVE-2026-34282 | HIGH | openjdk: OpenJDK: Enhance TLS connection handling (Oracle CPU 2026-04) | 3.6.0-funcrel |
| sso-service | CVE-2026-4878 | HIGH | libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file() | 3.6.0-funcrel |
| viewer | CVE-2026-32280 | HIGH | crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building | 3.6.0-funcrel |
| viewer | CVE-2026-32281 | HIGH | crypto/x509: golang: Go crypto/x509: Denial of Service via inefficient certificate chain validation | 3.6.0-funcrel |
| viewer | CVE-2026-32283 | HIGH | If one side of the TLS connection sends multiple key update messages p … | 3.6.0-funcrel |
Known security issues (not yet fixed)
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| ai-service | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.1-funcrel |
| ai-service | CVE-2026-3298 | HIGH | python: The method “sock_recvfrom_into()” of “asyncio.ProacterEventLoop” (Windows only) was missing a boundary check… | 3.6.1-funcrel |
| ai-service | CVE-2026-4786 | HIGH | pyhton: Mitigation of CVE-2026-4519 was incomplete. If the URL contained “%action” the mitigation could be bypassed… | 3.6.1-funcrel |
| ai-service | CVE-2026-5435 | HIGH | glibc: The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer… | 3.6.1-funcrel |
| ai-service | CVE-2026-6100 | CRITICAL | python: Use-after-free (UAF) was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile… | 3.6.1-funcrel |
| analysis-node | CVE-2025-26646 | HIGH | dotnet: .NET and Visual Studio Spoofing Vulnerability | 3.6.1_core8.4.10 |
| analysis-node | CVE-2025-55247 | HIGH | dotnet: .NET Denial of Service Vulnerability | 3.6.1_core8.4.10 |
| analysis-node | CVE-2025-67030 | HIGH | org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method | 3.6.1_core8.4.10 |
| analysis-node | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.1_core8.4.10 |
| analysis-node | CVE-2026-23949 | HIGH | jaraco.context: jaraco.context: Path traversal via malicious tar archives | 3.6.1_core8.4.10 |
| analysis-node | CVE-2026-24049 | HIGH | wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking | 3.6.1_core8.4.10 |
| analysis-node | CVE-2026-26171 | HIGH | dotnet: .NET: Security Bypass and Denial of Service Vulnerability | 3.6.1_core8.4.10 |
| analysis-node | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.6.1_core8.4.10 |
| analysis-node | CVE-2026-33116 | HIGH | dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform | 3.6.1_core8.4.10 |
| etl-service | CVE-2026-32316 | HIGH | jq: An integer overflow vulnerability exists through version 1.8.1 … | 3.6.1-funcrel |
| etl-service | CVE-2026-35385 | HIGH | openssh: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid … | 3.6.1-funcrel |
| etl-service | CVE-2026-3805 | HIGH | curl: When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. | 3.6.1-funcrel |
| imaging-apis | CVE-2026-32316 | HIGH | jq: An integer overflow vulnerability exists through version 1.8.1 … | 3.6.1-funcrel |
| imaging-apis | CVE-2026-3805 | HIGH | curl: When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. | 3.6.1-funcrel |
| neo4j | CVE-2025-15281 | HIGH | … | 3.6.1-funcrel |
| neo4j | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.1-funcrel |
| neo4j | CVE-2026-0861 | HIGH | glibc: Integer overflow in memalign leads to heap corruption | 3.6.1-funcrel |
| neo4j | CVE-2026-0915 | HIGH | … | 3.6.1-funcrel |
| neo4j | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.6.1-funcrel |
| neo4j | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.6.1-funcrel |
| neo4j | CVE-2026-5435 | HIGH | glibc: The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer… | 3.6.1-funcrel |
| neo4j | GHSA-72hv-8253-57qq | HIGH | jackson-core: The non-blocking (async) JSON parser bypasses the maxNumberLength constraint … | 3.6.1-funcrel |
| sso-service | CVE-2025-59250 | HIGH | JDBC Driver for SQL Server has improper input validation issue | 3.6.1-funcrel |
| sso-service | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.1-funcrel |
| sso-service | CVE-2026-2603 | HIGH | keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider | 3.6.1-funcrel |
| sso-service | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.6.1-funcrel |
SSO Service image is based on the Docker Hardened variant of Keycloak 26.5.7. Following security analysis done by Docker Team on this base image and VEX attestation records, the following CVEs were marked as “Not Affected”:
- CVE-2025-59250 - Docker Scout Team comment: False positive. The image ships mssql-jdbc 13.2.1.jre11, which the advisory lists as the fixed version. Scout strips the .jre11 classifier in its SBOM, so an additional statement is required to match the bare 13.2.1 PURL.
- CVE-2025-69720 - Docker Scout Team comment: Debian NODSA
- CVE-2026-29111 - Docker Scout Team comment: Debian NODSA
Analysis node fixes are targeted for CAST Imaging Core 8.4.11. The impacts of the changes require further testing to avoid regression, but would have long delayed releases of other images and their related security fixes.
CVE-2026-29111 and CVE-2025-69720 are shared with the SSO Service and are reported by the Docker Scout team as “no-DSA”, a status for CVEs in Debian for issues not requiring an immediate fix:
- CVE-2026-29111 - Debian Security Team considers this CVE as Minor.
- CVE-2025-69720 - Debian NODSA.
AI service image is based on Python Docker Hardened image. According to the suppressed CVEs on this image, most of the known CVEs above have been annotated as “Not Affected”; i.e. Trivy is reporting these issues but they are already fixed, mitigated or are not considered as severe as the CVSS score might suggest.
- CVE-2026-6100: Marked as “Under investigation” and “Not affected” on the same day. Docker Scout Comments: “Under investigation”: Waiting for upstream fix; no fixed version is available yet. “Not affected”: DHI backport applied; follow-up to CVE-2026-4519.
- CVE-2026-3298: Not affected. Docker Scout Comment: DHI backport applied; upstream fix adds boundary check to asyncio.AbstractEventLoop.sock_recvfrom_into() to prevent buffer overflow on Windows.
- CVE-2026-4786: Marked as “Under investigation” and “Not affected” on the same day. Docker Scout Comments: “Under investigation”: Waiting for upstream fix; no fixed version is available yet. “Not affected”: DHI backport applied; follow-up to CVE-2026-4519.
- CVE-2026-5435: “Under investigation”. Docker Scout Comment: No fixed version available from Debian yet. Waiting for upstream glibc/trixie security update.
- CVE-2025-69720: “Not affected”. Docker Scout Comment: Debian NODSA.
Neo4j image is based upon the Docker Hardened Image Debian 13 base. Most system level CVEs reported by tools like Trivy, Grype or Docker Scout are marked as “Not affected” or “Under investigation”. This includes CVE-2026-29111 and CVE-2025-69720. Regarding CVE-2026-33871 and GHSA-72hv-8253-57qq, these require fixes in the neo4j package.
3.6.0-funcrel
Fixes provided
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| admin-center | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| admin-center | CVE-2026-22739 | HIGH | Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access | 3.5.9-funcrel |
| admin-center | CVE-2026-29129 | HIGH | Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved | 3.5.9-funcrel |
| admin-center | CVE-2026-29145 | CRITICAL | Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration | 3.5.9-funcrel |
| admin-center | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.5.9-funcrel |
| admin-center | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.5.9-funcrel |
| admin-center | CVE-2026-34197 | HIGH | org.apache.activemq/activemq-broker: org.apache.activemq/activemq-all: Apache ActiveMQ: Arbitrary Code Execution via crafted discovery URI in Jolokia JMX-HTTP bridge | 3.5.9-funcrel |
| admin-center | CVE-2026-34483 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve | 3.5.9-funcrel |
| admin-center | CVE-2026-34487 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files | 3.5.9-funcrel |
| admin-center | CVE-2026-39304 | HIGH | Apache ActiveMQ Client: Apache ActiveMQ Broker: Apache ActiveMQ: Apache ActiveMQ: Denial of Service due to TLSv1.3 KeyUpdate memory exhaustion | 3.5.9-funcrel |
| admin-center | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| ai-service | CVE-2026-0861 | HIGH | glibc: Integer overflow in memalign leads to heap corruption | 3.5.9-funcrel |
| ai-service | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.5.9-funcrel |
| analysis-node | CVE-2026-28417 | HIGH | vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin | 3.5.9_core8.4.10 |
| analysis-node | CVE-2026-28421 | HIGH | vim: Vim: Denial of service and information disclosure via crafted swap file | 3.5.9_core8.4.10 |
| analysis-node | CVE-2026-33412 | HIGH | vim: Vim: Arbitrary code execution via command injection in glob() function | 3.5.9_core8.4.10 |
| auth-service | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| auth-service | CVE-2026-22732 | CRITICAL | Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers | 3.5.9-funcrel |
| auth-service | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.5.9-funcrel |
| auth-service | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.5.9-funcrel |
| auth-service | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| console | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| console | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.5.9-funcrel |
| console | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.5.9-funcrel |
| console | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| dashboards-v3 | CVE-2026-22732 | CRITICAL | Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers | 3.5.9-funcrel |
| dashboards-v3 | CVE-2026-24734 | HIGH | tomcat: Apache Tomcat: Certificate revocation bypass due to improper OCSP response validation | 3.5.9-funcrel |
| etl-service | CVE-2026-25679 | HIGH | net/url: Incorrect parsing of IPv6 host literals in net/url | 3.5.9-funcrel |
| etl-service | CVE-2026-28390 | HIGH | openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing | 3.5.9-funcrel |
| etl-service | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| gateway | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| gateway | CVE-2026-29129 | HIGH | Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved | 3.5.9-funcrel |
| gateway | CVE-2026-29145 | CRITICAL | Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration | 3.5.9-funcrel |
| gateway | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.5.9-funcrel |
| gateway | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.5.9-funcrel |
| gateway | CVE-2026-34483 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve | 3.5.9-funcrel |
| gateway | CVE-2026-34487 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files | 3.5.9-funcrel |
| gateway | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
| sso-service | CVE-2026-2603 | HIGH | keycloak: Keycloak: Unauthorized authentication via disabled SAML Identity Provider | 3.5.9-funcrel |
| sso-service | CVE-2026-3872 | HIGH | keycloak: Keycloak: Information disclosure due to redirect_uri validation bypass | 3.5.9-funcrel |
| sso-service | CVE-2026-4282 | HIGH | keycloak: Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw | 3.5.9-funcrel |
| sso-service | CVE-2026-4634 | HIGH | keycloak: Keycloak: Denial of Service via excessive processing of OpenID Connect scope parameters | 3.5.9-funcrel |
| sso-service | CVE-2026-4636 | HIGH | keycloak: Keycloak: UMA policy bypass allows authenticated users to gain unauthorized access to victim-owned resources. | 3.5.9-funcrel |
| viewer | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.9-funcrel |
| viewer | CVE-2026-25679 | HIGH | net/url: Incorrect parsing of IPv6 host literals in net/url | 3.5.9-funcrel |
| viewer | CVE-2026-28390 | HIGH | openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing | 3.5.9-funcrel |
| viewer | CVE-2026-40200 | HIGH | musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort | 3.5.9-funcrel |
Known security issues (not yet fixed)
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| ai-service | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.0-funcrel |
| ai-service | CVE-2026-23949 | HIGH | jaraco.context: jaraco.context: Path traversal via malicious tar archives | 3.6.0-funcrel |
| ai-service | CVE-2026-24049 | HIGH | wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking | 3.6.0-funcrel |
| ai-service | CVE-2026-34070 | HIGH | langchain: path traversal in legacy load_prompt functions in langchain-core | 3.6.0-funcrel |
| analysis-node | CVE-2025-67030 | HIGH | org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method | 3.6.0_core8.4.10 |
| auth-service | CVE-2026-40477 | CRITICAL | Improper restriction of the scope of accessible objects in Thymeleaf expressions | 3.6.0-funcrel |
| auth-service | CVE-2026-40478 | CRITICAL | Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf | 3.6.0-funcrel |
| dashboards-v3 | CVE-2026-29129 | HIGH | Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved | 3.6.0-funcrel |
| dashboards-v3 | CVE-2026-29145 | CRITICAL | Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration | 3.6.0-funcrel |
| dashboards-v3 | CVE-2026-34483 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure due to improper encoding in JsonAccessLogValve | 3.6.0-funcrel |
| dashboards-v3 | CVE-2026-34487 | HIGH | Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files | 3.6.0-funcrel |
| etl-service | CVE-2026-32280 | HIGH | During chain building, the amount of work that is done is not correctl … | 3.6.0-funcrel |
| etl-service | CVE-2026-32282 | HIGH | golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root | 3.6.0-funcrel |
| gateway | CVE-2026-40477 | CRITICAL | Improper restriction of the scope of accessible objects in Thymeleaf expressions | 3.6.0-funcrel |
| gateway | CVE-2026-40478 | CRITICAL | Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf | 3.6.0-funcrel |
| neo4j | CVE-2025-69720 | HIGH | ncurses: ncurses: Buffer overflow vulnerability may lead to arbitrary code execution. | 3.6.0-funcrel |
| neo4j | CVE-2026-1605 | HIGH | org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests | 3.6.0-funcrel |
| neo4j | CVE-2026-2332 | HIGH | org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing | 3.6.0-funcrel |
| neo4j | CVE-2026-29111 | HIGH | systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data | 3.6.0-funcrel |
| neo4j | CVE-2026-32280 | HIGH | During chain building, the amount of work that is done is not correctl … | 3.6.0-funcrel |
| neo4j | CVE-2026-32282 | HIGH | golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root | 3.6.0-funcrel |
| neo4j | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.6.0-funcrel |
| neo4j | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.6.0-funcrel |
| sso-service | CVE-2025-59250 | HIGH | JDBC Driver for SQL Server has improper input validation issue | 3.6.0-funcrel |
| sso-service | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.6.0-funcrel |
| sso-service | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.6.0-funcrel |
| sso-service | CVE-2026-26740 | HIGH | giflib: giflib: Denial of Service via buffer overflow in EGifGCBToExtension | 3.6.0-funcrel |
| sso-service | CVE-2026-33870 | HIGH | io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values | 3.6.0-funcrel |
| sso-service | CVE-2026-33871 | HIGH | netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood | 3.6.0-funcrel |
| sso-service | CVE-2026-4878 | HIGH | libcap: libcap: Privilege escalation via TOCTOU race condition in cap_set_file() | 3.6.0-funcrel |
| viewer | CVE-2026-32280 | HIGH | During chain building, the amount of work that is done is not correctl … | 3.6.0-funcrel |
| viewer | CVE-2026-32282 | HIGH | golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root | 3.6.0-funcrel |
Critical CVEs on Auth Service and Gateway (CVE-2026-40477 and CVE-2026-40478) were reported during our release window. The library is included but is not used to serve any content or to generate any templates so the risk is very low. These CVEs will be resolved in 3.6.1.
In sso-service, CVE-2025-59250 is actually a false positive, as the MSSQL JDBC driver already includes the fix for the given CVE, however our scanner expects the version to be 13.2.1.jre while the included version found is 13.2.1. Other CVEs are expected to be fixed in 3.6.1 as we update the base Keycloak image.