Security Information#
Updated the following middleware component versions to enhance security and performance in MSR:
- [MSRH-638] NGINX v1.30
Resolved CVEs#
| CVE | Status | Images mitigated | Problem details |
|---|---|---|---|
| CVE-2026-6429 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
A flaw was found in libcurl. When configured to use a .netrc file for credentials and follow HTTP redirects, libcurl can inadvertently send the password from the initial connection to the redirected host. This sensitive information disclosure occurs when both the original and redirect URLs use clear text HTTP, are performed over the same HTTP proxy, and the same connection is reused. This vulnerability, categorized as an Exposure of Sensitive Information to an Unauthorized Actor (CWE-200), could allow an attacker to obtain user credentials. |
| CVE-2026-6276 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
A flaw was found in libcurl. This vulnerability allows for information disclosure when a custom Host: header is used in an initial HTTP request, and a subsequent request reuses the same connection without specifying a new Host: header. This can lead to libcurl incorrectly sending cookies intended for the first host to the second host, resulting in a cookie leak. This issue is categorized as an Origin Validation Error (CWE-346). Exploitation typically requires specific debugging configurations. |
| CVE-2026-6253 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
A flaw was found in curl. When curl is configured to use distinct proxies for different URL schemes, a redirect from a URL using an authenticated proxy to one using an unauthenticated proxy can inadvertently expose the initial proxy's credentials. This improper credential management (CWE-522) may allow an attacker to gain unauthorized access or information by intercepting these disclosed credentials. |
| CVE-2026-5773 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
A flaw was found in libcurl. Due to a logical error in the connection reuse mechanism for SMB (Server Message Block) transfers, libcurl might reuse an existing SMB connection with a different share than intended. This vulnerability, categorized as CWE-488 (Exposure of Data Element to Wrong Session), could lead to the download of an incorrect file or the upload of a file to an unintended location when an application uses libcurl for SMB transfers. |
| CVE-2026-5545 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
A flaw was found in libcurl. An application using libcurl that performs an authenticated HTTP(S) request after a Negotiate-authenticated one to the same host may incorrectly reuse the previous connection. This authentication bypass vulnerability allows the second request to be sent over a connection authenticated with different credentials, potentially leading to unauthorized access or information disclosure. |
| CVE-2026-5121 | Resolved | harbor/harbor-db harbor/harbor-log harbor/harbor-portal harbor/nginx-photon harbor/redis-photon |
A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. |
| CVE-2026-4873 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
A flaw was found in curl. A remote attacker could exploit this by initiating an unencrypted connection (via IMAP, SMTP, or POP3) and then making a subsequent request to the same host that requires Transport Layer Security (TLS). Due to incorrect connection reuse, the subsequent request would bypass the TLS requirement, leading to the transmission of sensitive information in cleartext. This vulnerability, categorized as Cleartext Transmission of Sensitive Information (CWE-319), results in information disclosure. |
| CVE-2026-4519 | Resolved | harbor/prepare | The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open(). |
| CVE-2026-4438 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification. |
| CVE-2026-4437 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer. |
| CVE-2026-4426 | Resolved | harbor/harbor-db harbor/harbor-log harbor/harbor-portal harbor/nginx-photon harbor/redis-photon |
A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (pz_log2_bs) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. |
| CVE-2026-4424 | Resolved | harbor/harbor-db harbor/harbor-log harbor/harbor-portal harbor/nginx-photon harbor/redis-photon |
A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. |
| CVE-2026-4111 | Resolved | harbor/harbor-db harbor/harbor-log harbor/harbor-portal harbor/nginx-photon harbor/redis-photon |
A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. |
| CVE-2026-4046 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them. |
| CVE-2026-39883 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/trivy-adapter-photon |
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0. |
| CVE-2026-39882 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0. |
| CVE-2026-3805 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. |
| CVE-2026-3784 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. |
| CVE-2026-3783 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the machine or default keywords, curl would pass on the bearer token set for the first host also to the second one. |
| CVE-2026-35535 | Resolved | harbor/harbor-log | In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation. |
| CVE-2026-35469 | Resolved | harbor/trivy-adapter-photon | spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1. |
| CVE-2026-35206 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/trivy-adapter-photon |
Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4. |
| CVE-2026-34986 | Resolved | harbor/harbor-core harbor/trivy-adapter-photon |
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5. |
| CVE-2026-3479 | Resolved | harbor/prepare | DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals. |
| CVE-2026-34743 | Resolved | harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-registryctl harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3. |
| CVE-2026-33748 | Resolved | harbor/trivy-adapter-photon | BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink. |
| CVE-2026-33747 | Resolved | harbor/trivy-adapter-photon | BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with #syntax or --build-arg BUILDKIT_SYNTAX. Using these options with a well-known frontend image like docker/dockerfile is not affected. |
| CVE-2026-33186 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/trivy-adapter-photon |
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx); AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening. |
| CVE-2026-32778 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition. |
| CVE-2026-32777 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
libexpat before 2.7.5 allows an infinite loop while parsing DTD content. |
| CVE-2026-32776 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content. |
| CVE-2026-32289 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon harbor/trivy-adapter-photon |
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. |
| CVE-2026-32288 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon harbor/trivy-adapter-photon |
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. |
| CVE-2026-32283 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon harbor/trivy-adapter-photon |
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. |
| CVE-2026-32282 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon harbor/trivy-adapter-photon |
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. |
| CVE-2026-32281 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon harbor/trivy-adapter-photon |
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. |
| CVE-2026-32280 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon harbor/trivy-adapter-photon |
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. |
| CVE-2026-31789 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. |
| CVE-2026-29111 | Resolved | harbor/harbor-db harbor/harbor-log harbor/harbor-portal harbor/nginx-photon harbor/redis-photon |
systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available. |
| CVE-2026-28390 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. |
| CVE-2026-28389 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. |
| CVE-2026-28388 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. |
| CVE-2026-28387 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. |
| CVE-2026-2781 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
Integer overflow in the Libraries component in NSS. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, Thunderbird 140.8, and Firefox ESR 115.35. |
| CVE-2026-27142 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon harbor/trivy-adapter-photon |
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. |
| CVE-2026-27139 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon harbor/trivy-adapter-photon |
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root. |
| CVE-2026-25679 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl harbor/registry-photon harbor/trivy-adapter-photon |
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. |
| CVE-2026-24051 | Resolved | harbor/harbor-core harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-registryctl |
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0. |
| CVE-2026-24049 | Resolved | harbor/prepare | wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2. |
| CVE-2026-23949 | Resolved | harbor/prepare | jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the jaraco.context.tarball() function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first / and extracts the second component, while allowing ../ sequences. Paths like dummy_dir/../../etc/passwd become ../../etc/passwd. Note that this suffers from a nested tarball attack as well with multi-level tar files such as dummy_dir/inner.tar.gz, where the inner.tar.gz includes a traversal dummy_dir/../../config/.env that also gets translated to ../../config/.env. Version 6.1.0 contains a patch for the issue. |
| CVE-2026-21441 | Resolved | harbor/prepare | urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting preload_content=False when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when preload_content=False. If upgrading is not immediately possible, disable redirects by setting redirect=False for requests to untrusted source. |
| CVE-2026-1965 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates connections and not requests, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with user1:password1 and then does another operation to the same server also using Negotiate but with user2:password2 (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with CURLOPT_HTTPAUTH. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: CURLOPT_FRESH_CONNECT, CURLOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS (if using the curl_multi API). |
| CVE-2025-70873 | Resolved | harbor/harbor-core harbor/harbor-db harbor/harbor-exporter harbor/harbor-jobservice harbor/harbor-log harbor/harbor-portal harbor/harbor-registryctl harbor/nginx-photon harbor/prepare harbor/redis-photon harbor/registry-photon harbor/trivy-adapter-photon |
An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file. |
| CVE-2025-69720 | Resolved | harbor/harbor-db harbor/prepare |
The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c. |
| CVE-2025-66471 | Resolved | harbor/prepare | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data. |
| CVE-2025-66418 | Resolved | harbor/prepare | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0. |
| CVE-2025-15558 | Resolved | harbor/harbor-core harbor/harbor-jobservice |
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user. This issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the github.com/docker/cli/cli-plugins/manager https://pkg.go.dev/github.com/docker/cli@v29.1.5+incompatible/cli-plugins/manager package, such as Docker Compose. This issue does not impact non-Windows binaries, and projects not using the plugin-manager code. |