3.5 - Security fixes
3.5.6-funcrel
Fixes provided
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| admin-center | CVE-2025-32988 | HIGH | gnutls: Vulnerability in GnuTLS otherName SAN export | 3.5.5-funcrel |
| admin-center | CVE-2025-32990 | HIGH | gnutls: Vulnerability in GnuTLS certtool template parsing | 3.5.5-funcrel |
| admin-center | CVE-2026-1584 | HIGH | gnutls: gnutls: Remote Denial of Service via crafted ClientHello with invalid PSK binder | 3.5.5-funcrel |
| auth-service | CVE-2025-32988 | HIGH | gnutls: Vulnerability in GnuTLS otherName SAN export | 3.5.5-funcrel |
| auth-service | CVE-2025-32990 | HIGH | gnutls: Vulnerability in GnuTLS certtool template parsing | 3.5.5-funcrel |
| auth-service | CVE-2026-1584 | HIGH | gnutls: gnutls: Remote Denial of Service via crafted ClientHello with invalid PSK binder | 3.5.5-funcrel |
| auth-service | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.5.5-funcrel |
| gateway | CVE-2025-32988 | HIGH | gnutls: Vulnerability in GnuTLS otherName SAN export | 3.5.5-funcrel |
| gateway | CVE-2025-32990 | HIGH | gnutls: Vulnerability in GnuTLS certtool template parsing | 3.5.5-funcrel |
| gateway | CVE-2026-1584 | HIGH | gnutls: gnutls: Remote Denial of Service via crafted ClientHello with invalid PSK binder | 3.5.5-funcrel |
| gateway | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.5.5-funcrel |
Known security issues (not yet fixed)
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| admin-center | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.5.6-funcrel |
| admin-center | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.6-funcrel |
| ai-service | CVE-2026-0861 | HIGH | glibc: Integer overflow in memalign leads to heap corruption | 3.5.6-funcrel |
| ai-service | CVE-2026-23949 | HIGH | jaraco.context: jaraco.context: Path traversal via malicious tar archives | 3.5.6-funcrel |
| ai-service | CVE-2026-24049 | HIGH | wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking | 3.5.6-funcrel |
| analysis-node | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.6-funcrel_core8.4.9 |
| auth-service | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.6-funcrel |
| console | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.5.6-funcrel |
| console | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.6-funcrel |
| dashboards-v3 | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.6-funcrel |
| gateway | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.6-funcrel |
| neo4j | CVE-2026-1605 | HIGH | org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests | 3.5.6-funcrel |
| neo4j | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.6-funcrel |
| sso-service | CVE-2025-59250 | HIGH | JDBC Driver for SQL Server has improper input validation issue | 3.5.6-funcrel |
| sso-service | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | 3.5.6-funcrel |
| sso-service | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | 3.5.6-funcrel |
| sso-service | CVE-2025-66021 | HIGH | com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer: OWASP Java HTML Sanitizer vulnerable to XSS | 3.5.6-funcrel |
| sso-service | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.5.6-funcrel |
| sso-service | CVE-2026-1486 | HIGH | org.keycloak.protocol.oidc.grants: Disabled identity providers are still accepted for JWT Authorization Grant | 3.5.6-funcrel |
| sso-service | CVE-2026-1529 | HIGH | org.keycloak.services.resources.organizations: Keycloak: Unauthorized organization registration via improper invitation token validation | 3.5.6-funcrel |
| sso-service | CVE-2026-21945 | HIGH | openjdk: Enhance Certificate Checking (Oracle CPU 2026-01) | 3.5.6-funcrel |
| sso-service | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.6-funcrel |
| sso-service | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.6-funcrel |
| viewer | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.5.6-funcrel |
3.5.5-funcrel
Fixes provided
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| ai-service | CVE-2026-26007 | HIGH | cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves | 3.5.4-funcrel |
| analysis-node | CVE-2026-0719 | HIGH | libsoup: Signed to Unsigned Conversion Error Leading to Stack-Based Buffer Overflow in libsoup NTLM Authentication | 3.5.4-funcrel |
| analysis-node | CVE-2026-1761 | HIGH | libsoup: Stack-Based Buffer Overflow in libsoup Multipart Response Parsingmultipart HTTP response | 3.5.4-funcrel |
| analysis-node | CVE-2026-25990 | HIGH | pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image | 3.5.4-funcrel |
| console | CVE-2025-32988 | HIGH | gnutls: Vulnerability in GnuTLS otherName SAN export | 3.5.4-funcrel |
| console | CVE-2025-32990 | HIGH | gnutls: Vulnerability in GnuTLS certtool template parsing | 3.5.4-funcrel |
| console | CVE-2026-1584 | HIGH | gnutls: gnutls: Remote Denial of Service via crafted ClientHello with invalid PSK binder | 3.5.4-funcrel |
| etl-service | CVE-2025-61726 | HIGH | golang: net/url: Memory exhaustion in query parameter parsing in net/url | 3.5.4-funcrel |
| etl-service | CVE-2025-61728 | HIGH | golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip | 3.5.4-funcrel |
| etl-service | CVE-2025-68121 | CRITICAL | crypto/tls: Unexpected session resumption in crypto/tls | 3.5.4-funcrel |
| neo4j | CVE-2025-12183 | HIGH | lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure | 3.5.4-funcrel |
| neo4j | CVE-2025-6176 | HIGH | Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS | 3.5.4-funcrel |
| neo4j | CVE-2025-66566 | HIGH | lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing | 3.5.4-funcrel |
| neo4j | CVE-2025-67721 | HIGH | aircompressor Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer | 3.5.4-funcrel |
| neo4j | CVE-2026-23745 | HIGH | node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives | 3.5.4-funcrel |
| viewer | CVE-2025-61726 | HIGH | golang: net/url: Memory exhaustion in query parameter parsing in net/url | 3.5.4-funcrel |
| viewer | CVE-2025-61728 | HIGH | golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip | 3.5.4-funcrel |
| viewer | CVE-2025-68121 | CRITICAL | crypto/tls: Unexpected session resumption in crypto/tls | 3.5.4-funcrel |
| viewer | CVE-2026-21932 | HIGH | openjdk: Enhance Handling of URIs (Oracle CPU 2026-01) | 3.5.4-funcrel |
| viewer | CVE-2026-21945 | HIGH | openjdk: Enhance Certificate Checking (Oracle CPU 2026-01) | 3.5.4-funcrel |
Known security issues (not yet fixed)
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| admin-center | CVE-2025-32990 | HIGH | gnutls: Vulnerability in GnuTLS certtool template parsing | 3.5.5-funcrel |
| admin-center | CVE-2026-1584 | HIGH | gnutls: gnutls: Remote Denial of Service via crafted ClientHello with invalid PSK binder | 3.5.5-funcrel |
| admin-center | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.5.5-funcrel |
| admin-center | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.5-funcrel |
| ai-service | CVE-2026-0861 | HIGH | glibc: Integer overflow in memalign leads to heap corruption | 3.5.5-funcrel |
| ai-service | CVE-2026-23949 | HIGH | jaraco.context: jaraco.context: Path traversal via malicious tar archives | 3.5.5-funcrel |
| ai-service | CVE-2026-24049 | HIGH | wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking | 3.5.5-funcrel |
| analysis-node | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.5-funcrel |
| auth-service | CVE-2025-32990 | HIGH | gnutls: Vulnerability in GnuTLS certtool template parsing | 3.5.5-funcrel |
| auth-service | CVE-2026-1584 | HIGH | gnutls: gnutls: Remote Denial of Service via crafted ClientHello with invalid PSK binder | 3.5.5-funcrel |
| auth-service | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.5.5-funcrel |
| auth-service | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.5-funcrel |
| console | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.5.5-funcrel |
| console | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.5-funcrel |
| dashboards-v3 | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.5-funcrel |
| gateway | CVE-2025-32988 | HIGH | gnutls: Vulnerability in GnuTLS otherName SAN export | 3.5.5-funcrel |
| gateway | CVE-2025-32990 | HIGH | gnutls: Vulnerability in GnuTLS certtool template parsing | 3.5.5-funcrel |
| gateway | CVE-2026-1584 | HIGH | gnutls: gnutls: Remote Denial of Service via crafted ClientHello with invalid PSK binder | 3.5.5-funcrel |
| gateway | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.5.5-funcrel |
| gateway | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.5-funcrel |
| neo4j | CVE-2026-1605 | HIGH | org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests | 3.5.5-funcrel |
| neo4j | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.5-funcrel |
| sso-service | CVE-2025-59250 | HIGH | JDBC Driver for SQL Server has improper input validation issue | 3.5.5-funcrel |
| sso-service | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | 3.5.5-funcrel |
| sso-service | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | 3.5.5-funcrel |
| sso-service | CVE-2025-66021 | HIGH | com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer: OWASP Java HTML Sanitizer vulnerable to XSS | 3.5.5-funcrel |
| sso-service | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.5.5-funcrel |
| sso-service | CVE-2026-1486 | HIGH | org.keycloak.protocol.oidc.grants: Disabled identity providers are still accepted for JWT Authorization Grant | 3.5.5-funcrel |
| sso-service | CVE-2026-1529 | HIGH | org.keycloak.services.resources.organizations: Keycloak: Unauthorized organization registration via improper invitation token validation | 3.5.5-funcrel |
| sso-service | CVE-2026-21945 | HIGH | openjdk: Enhance Certificate Checking (Oracle CPU 2026-01) | 3.5.5-funcrel |
| sso-service | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.5-funcrel |
| sso-service | GHSA-72hv-8253-57qq | HIGH | jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | 3.5.5-funcrel |
| viewer | CVE-2026-25646 | HIGH | libpng: LIBPNG has a heap buffer overflow in png_set_quantize | 3.5.5-funcrel |
3.5.4-funcrel
Fixes provided
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| admin-center | CVE-2025-15467 | CRITICAL | openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing | 3.5.3-funcrel |
| admin-center | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | 3.5.3-funcrel |
| admin-center | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | 3.5.3-funcrel |
| admin-center | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.5.3-funcrel |
| admin-center | CVE-2025-68973 | HIGH | GnuPG: GnuPG: Information disclosure and potential arbitrary code execution via out-of-bounds write | 3.5.3-funcrel |
| admin-center | CVE-2025-69419 | HIGH | openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing | 3.5.3-funcrel |
| admin-center | CVE-2026-22695 | HIGH | libpng: libpng: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read | 3.5.3-funcrel |
| admin-center | CVE-2026-22801 | HIGH | libpng: libpng: Information disclosure and denial of service via integer truncation in simplified write API | 3.5.3-funcrel |
| ai-service | CVE-2025-15467 | CRITICAL | openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing | 3.5.3-funcrel |
| ai-service | CVE-2025-65106 | HIGH | langchain-core: LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates | 3.5.3-funcrel |
| ai-service | CVE-2025-68664 | CRITICAL | langchain-core: LangChain: Arbitrary code execution via serialization injection | 3.5.3-funcrel |
| ai-service | CVE-2025-69223 | HIGH | aiohttp: AIOHTTP’s HTTP Parser auto_decompress feature is vulnerable to zip bomb | 3.5.3-funcrel |
| ai-service | CVE-2025-69419 | HIGH | openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing | 3.5.3-funcrel |
| ai-service | CVE-2026-0994 | HIGH | python: protobuf: Protobuf: Denial of Service due to recursion depth bypass | 3.5.3-funcrel |
| ai-service | CVE-2026-21441 | HIGH | urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) | 3.5.3-funcrel |
| ai-service | CVE-2026-23490 | HIGH | pyasn1: pyasn1: Denial of Service due to memory exhaustion from malformed RELATIVE-OID | 3.5.3-funcrel |
| analysis-node | CVE-2025-14523 | HIGH | libsoup: libsoup: Duplicate Host Header Handling Causes Host-Parsing Discrepancy (First- vs Last-Value Wins) | 3.5.3-funcrel_core8.4.8 |
| analysis-node | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | 3.5.3-funcrel_core8.4.8 |
| analysis-node | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | 3.5.3-funcrel_core8.4.8 |
| analysis-node | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.5.3-funcrel_core8.4.8 |
| analysis-node | CVE-2025-68973 | HIGH | GnuPG: GnuPG: Information disclosure and potential arbitrary code execution via out-of-bounds write | 3.5.3-funcrel_core8.4.8 |
| analysis-node | CVE-2026-21441 | HIGH | urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API) | 3.5.3-funcrel_core8.4.8 |
| analysis-node | CVE-2026-21925 | HIGH | openjdk: Improve JMX connections (Oracle CPU 2026-01) | 3.5.3-funcrel_core8.4.8 |
| analysis-node | CVE-2026-21933 | HIGH | openjdk: Improve HttpServer Request handling (Oracle CPU 2026-01) | 3.5.3-funcrel_core8.4.8 |
| analysis-node | CVE-2026-21945 | HIGH | openjdk: Enhance Certificate Checking (Oracle CPU 2026-01) | 3.5.3-funcrel_core8.4.8 |
| auth-service | CVE-2025-15467 | CRITICAL | openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing | 3.5.3-funcrel |
| auth-service | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | 3.5.3-funcrel |
| auth-service | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | 3.5.3-funcrel |
| auth-service | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.5.3-funcrel |
| auth-service | CVE-2025-68973 | HIGH | GnuPG: GnuPG: Information disclosure and potential arbitrary code execution via out-of-bounds write | 3.5.3-funcrel |
| auth-service | CVE-2025-69419 | HIGH | openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing | 3.5.3-funcrel |
| auth-service | CVE-2026-22695 | HIGH | libpng: libpng: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read | 3.5.3-funcrel |
| auth-service | CVE-2026-22801 | HIGH | libpng: libpng: Information disclosure and denial of service via integer truncation in simplified write API | 3.5.3-funcrel |
| console | CVE-2025-15467 | CRITICAL | openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing | 3.5.3-funcrel |
| console | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | 3.5.3-funcrel |
| console | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | 3.5.3-funcrel |
| console | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.5.3-funcrel |
| console | CVE-2025-68973 | HIGH | GnuPG: GnuPG: Information disclosure and potential arbitrary code execution via out-of-bounds write | 3.5.3-funcrel |
| console | CVE-2025-69419 | HIGH | openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing | 3.5.3-funcrel |
| console | CVE-2026-22695 | HIGH | libpng: libpng: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read | 3.5.3-funcrel |
| console | CVE-2026-22801 | HIGH | libpng: libpng: Information disclosure and denial of service via integer truncation in simplified write API | 3.5.3-funcrel |
| dashboards-v3 | CVE-2025-68973 | HIGH | GnuPG: GnuPG: Information disclosure and potential arbitrary code execution via out-of-bounds write | 3.5.3-funcrel |
| etl-service | CVE-2025-15467 | CRITICAL | openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing | 3.5.3-funcrel |
| etl-service | CVE-2025-69419 | HIGH | openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing | 3.5.3-funcrel |
| gateway | CVE-2025-15467 | CRITICAL | openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing | 3.5.3-funcrel |
| gateway | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | 3.5.3-funcrel |
| gateway | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | 3.5.3-funcrel |
| gateway | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.5.3-funcrel |
| gateway | CVE-2025-68973 | HIGH | GnuPG: GnuPG: Information disclosure and potential arbitrary code execution via out-of-bounds write | 3.5.3-funcrel |
| gateway | CVE-2025-69419 | HIGH | openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing | 3.5.3-funcrel |
| gateway | CVE-2026-22695 | HIGH | libpng: libpng: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read | 3.5.3-funcrel |
| gateway | CVE-2026-22801 | HIGH | libpng: libpng: Information disclosure and denial of service via integer truncation in simplified write API | 3.5.3-funcrel |
| neo4j | CVE-2025-15467 | HIGH | openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing | 3.5.3-funcrel |
| neo4j | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | 3.5.3-funcrel |
| neo4j | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | 3.5.3-funcrel |
| neo4j | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.5.3-funcrel |
| neo4j | CVE-2025-68973 | HIGH | GnuPG: GnuPG: Information disclosure and potential arbitrary code execution via out-of-bounds write | 3.5.3-funcrel |
| viewer | CVE-2025-15467 | CRITICAL | openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing | 3.5.3-funcrel |
| viewer | CVE-2025-69419 | HIGH | openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing | 3.5.3-funcrel |
| viewer | CVE-2026-22695 | HIGH | libpng: libpng: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read | 3.5.3-funcrel |
| viewer | CVE-2026-22801 | HIGH | libpng: libpng: Information disclosure and denial of service via integer truncation in simplified write API | 3.5.3-funcrel |
Known security issues (not yet fixed)
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| ai-service | CVE-2026-0861 | HIGH | glibc: Integer overflow in memalign leads to heap corruption | 3.5.4-funcrel |
| ai-service | CVE-2026-23949 | HIGH | jaraco.context: jaraco.context: Path traversal via malicious tar archives | 3.5.4-funcrel |
| ai-service | CVE-2026-24049 | HIGH | wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking | 3.5.4-funcrel |
| neo4j | CVE-2025-12183 | HIGH | lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure | 3.5.4-funcrel |
| neo4j | CVE-2025-6176 | HIGH | Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS | 3.5.4-funcrel |
| neo4j | CVE-2025-66566 | HIGH | lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing | 3.5.4-funcrel |
| neo4j | CVE-2026-24881 | HIGH | GnuPG: GnuPG: Remote code execution and denial of service via crafted CMS EnvelopedData message | 3.5.4-funcrel |
| neo4j | CVE-2026-24882 | HIGH | GnuPG: GnuPG: Stack-based buffer overflow in tpm2daemon allows arbitrary code execution | 3.5.4-funcrel |
| sso-service | CVE-2025-59250 | HIGH | JDBC Driver for SQL Server has improper input validation issue | 3.5.4-funcrel |
| sso-service | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | 3.5.4-funcrel |
| sso-service | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | 3.5.4-funcrel |
| sso-service | CVE-2025-66021 | HIGH | com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer: OWASP Java HTML Sanitizer vulnerable to XSS | 3.5.4-funcrel |
| sso-service | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.5.4-funcrel |
| sso-service | CVE-2025-6965 | HIGH | sqlite: Integer Truncation in SQLite | 3.5.4-funcrel |
| sso-service | CVE-2026-21945 | HIGH | openjdk: Enhance Certificate Checking (Oracle CPU 2026-01) | 3.5.4-funcrel |
| sso-service | CVE-2026-22184 | HIGH | zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility | 3.5.4-funcrel |
| viewer | CVE-2026-21932 | HIGH | openjdk: Enhance Handling of URIs (Oracle CPU 2026-01) | 3.5.4-funcrel |
| viewer | CVE-2026-21945 | HIGH | openjdk: Enhance Certificate Checking (Oracle CPU 2026-01) | 3.5.4-funcrel |
3.5.3-funcrel
SBOM
The SBOMs provided for CAST Imaging are generated in CycloneDX format (version 1.6) and delivered in JSON BOM output format. CycloneDX is a widely adopted industry standard for Software Bill of Materials, enabling interoperability with security, compliance, and supply chain risk management tools.
- SBOM-3.5.3-funcrel.zip (400 KB)
Fixes provided
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| ai-service | CVE-2025-66418 | HIGH | urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion | 3.5.0-funcrel |
| ai-service | CVE-2025-66471 | HIGH | urllib3 is a user-friendly HTTP client library for Python. Starting in … | 3.5.0-funcrel |
| analysis-node | CVE-2025-66418 | HIGH | urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion | 3.5.0_core8.4.7 |
| analysis-node | CVE-2025-66471 | HIGH | urllib3 is a user-friendly HTTP client library for Python. Starting in … | 3.5.0_core8.4.7 |
| etl-service | CVE-2025-61729 | HIGH | crypto/x509: Excessive resource consumption when printing error string for host certificate validation in crypto/x509 | 3.5.0-funcrel |
| sso-service | CVE-2025-6965 | HIGH | sqlite: Integer Truncation in SQLite | 3.5.0-funcrel |
| viewer | CVE-2025-61729 | HIGH | crypto/x509: Excessive resource consumption when printing error string for host certificate validation in crypto/x509 | 3.5.0-funcrel |
| viewer | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | 3.5.0-funcrel |
Known security issues (not yet fixed)
| CAST service | CVE | Severity | Description/Package | Justification | Affected CAST release |
|---|---|---|---|---|---|
| admin-center | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | This CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| admin-center | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | This CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| admin-center | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | Note that this CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| ai-service | CVE-2025-65106 | HIGH | langchain-core: LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates | 3.5.3-funcrel | |
| auth-service | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | This CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| auth-service | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | This CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| auth-service | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | Note that this CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| console | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | This CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| console | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | This CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| console | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | Note that this CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| gateway | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | This CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| gateway | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | This CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| gateway | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | Note that this CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| neo4j | CVE-2025-12183 | HIGH | lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure | 3.5.3-funcrel | |
| neo4j | CVE-2025-6176 | HIGH | Scrapy: python-scrapy: brotli: Python brotli decompression bomb DoS | 3.5.3-funcrel | |
| neo4j | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | This CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| neo4j | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | This CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| neo4j | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | Note that this CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| neo4j | CVE-2025-66566 | HIGH | lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing | 3.5.3-funcrel | |
| sso-service | CVE-2025-59250 | HIGH | JDBC Driver for SQL Server has improper input validation issue. | This CVE was present in 3.5.0-funcrel. The library containing the CVE mssql-jdbchas been updated in 3.5.3-funcrel. The new version (msqsl-jdbc:13.2.1) contains the fix for the CVE, however, Trivy considers the version is still vulnerable (see discussion here ). |
3.5.3-funcrel |
| sso-service | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | This CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| sso-service | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | This CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
| sso-service | CVE-2025-66021 | HIGH | com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer: OWASP Java HTML Sanitizer vulnerable to XSS. | This OWASP sanitizer library is a dependency from Keycloak and should be updated by the vendor. | 3.5.3-funcrel |
| sso-service | CVE-2025-66293 | HIGH | libpng: LIBPNG out-of-bounds read in png_image_read_composite | Note that this CVE requires a fix on the base image, eclipse-temurin:21-jre-alpine. The impacts should be limited as there is no PNG file manipulation within the project. | 3.5.3-funcrel |
3.5.2-funcrel
Fixes provided
None.
3.5.0-funcrel
Fixes provided
| CAST service | CVE | Severity | Description/Package | Affected CAST release |
|---|---|---|---|---|
| ai-service | CVE-2025-65106 | HIGH | langchain-core: LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates | 3.4.5-funcrel |
| analysis-node | CVE-2025-59375 | HIGH | expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing | 3.4.5_core8.4.7 |
| analysis-node | CVE-2025-8176 | HIGH | libtiff: LibTIFF Use-After-Free Vulnerability | 3.4.5_core8.4.7 |
| neo4j | CVE-2023-43000 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to memory corruption | 3.4.5-funcrel |
| neo4j | CVE-2025-11021 | HIGH | libsoup: Out-of-Bounds Read in Cookie Date Handling of libsoup HTTP Library | 3.4.5-funcrel |
| neo4j | CVE-2025-13502 | HIGH | webkit: WebKitGTK / WPE WebKit: Out-of-bounds read and integer underflow vulnerability leading to DoS | 3.4.5-funcrel |
| neo4j | CVE-2025-43272 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash | 3.4.5-funcrel |
| neo4j | CVE-2025-43342 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash | 3.4.5-funcrel |
| neo4j | CVE-2025-43343 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash | 3.4.5-funcrel |
| neo4j | CVE-2025-43368 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash | 3.4.5-funcrel |
| neo4j | CVE-2025-43419 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to memory corruption | 3.4.5-funcrel |
| neo4j | CVE-2025-43421 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash | 3.4.5-funcrel |
| neo4j | CVE-2025-43425 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash | 3.4.5-funcrel |
| neo4j | CVE-2025-43427 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash | 3.4.5-funcrel |
| neo4j | CVE-2025-43429 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash | 3.4.5-funcrel |
| neo4j | CVE-2025-43430 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash | 3.4.5-funcrel |
| neo4j | CVE-2025-43431 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to memory corruption | 3.4.5-funcrel |
| neo4j | CVE-2025-43432 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash | 3.4.5-funcrel |
| neo4j | CVE-2025-43434 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash | 3.4.5-funcrel |
| neo4j | CVE-2025-43440 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash | 3.4.5-funcrel |
| neo4j | CVE-2025-43443 | HIGH | webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash | 3.4.5-funcrel |
| neo4j | CVE-2025-59375 | HIGH | expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing | 3.4.5-funcrel |
| neo4j | CVE-2025-6965 | HIGH | sqlite: Integer Truncation in SQLite | 3.4.5-funcrel |
| neo4j | CVE-2025-8176 | HIGH | libtiff: LibTIFF Use-After-Free Vulnerability | 3.4.5-funcrel |
| neo4j | CVE-2025-9900 | HIGH | libtiff: Libtiff Write-What-Where | 3.4.5-funcrel |
| viewer | CVE-2025-64720 | HIGH | libpng: LIBPNG buffer overflow | 3.4.5-funcrel |
| viewer | CVE-2025-65018 | HIGH | libpng: LIBPNG heap buffer overflow | 3.4.5-funcrel |