Details:
Kiali 1.73.30, for Red Hat OpenShift Service Mesh 2.6, provides observability for the service mesh by offering a visual representation of the mesh topology and metrics, helping users monitor, trace, and manage efficiently.
Security Fix(es):
- CVE-2026-32280 Go: Denial of Service vulnerability in certificate chain building (OSSM-13521)
- CVE-2026-40895 follow-redirects: Information disclosure via cross-domain redirects (OSSM-13550, OSSM-13551)
- CVE-2026-41240 DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization (OSSM-13592)
- CVE-2026-42033 Axios: HTTP Transport Hijacking via Prototype Pollution (OSSM-13687, OSSM-13688)
- CVE-2026-42035 Axios: Arbitrary HTTP header injection via prototype pollution (OSSM-13594, OSSM-13595)
- CVE-2026-42039 Axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data (OSSM-13725, OSSM-13726)
- CVE-2026-42041 Axios: Authentication bypass due to prototype pollution of HTTP error handling (OSSM-13739, OSSM-13740)
- CVE-2026-42043 Axios: NO_PROXY bypass via crafted URL (OSSM-13711, OSSM-13712)
Enhancement(s):
- OSSM-12301 Migration from Yarn Classic (v1) to Yarn v4 or NPM
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.