VDB
RHSA-2026%3A8218
RHSA-2026%3A8218
PUBLISHED
CVSS 8.199999809265137 HIGH
A flaw was found in Immutable.js, a library for persistent immutable data structures. This vulnerability, known as Prototype Pollution, allows an attacker with low privileges to inject unwanted properties into core JavaScript object prototypes without user interaction. By manipulating specific APIs such as mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject(), a remote attacker could potentially execute arbitrary code or cause a denial of service (DoS).
Risk Scores
CVSS 3.1
8.199999809265137
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | registry.redhat.io/multicluster-engine/console-mce-rhel9@sha256:4943997b1fed0e8fada897f8296fafd2ec82c69d51f0779b0f1591c9ce2dcc2a_s390x as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/cluster-image-set-controller-rhel9@sha256:ad396a22c7dfc18d3755b5226322b02cf53e9d889d8c4c0fd9f3fc18640d5229_arm64 as a component of multicluster engine for Kubernetes 2.8 | |
| Red Hat | registry.redhat.io/multicluster-engine/backplane-rhel9-operator@sha256:553edf965192cf55bc245e8a3bbf3a27545d62d03d311acc24062a2554a2e85f_s390x as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/clusterlifecycle-state-metrics-rhel9@sha256:a8d65fb8b81be9613bc732f696ef245aad46a23335de455d258598dd86c19f8d_ppc64le as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/registration-operator-rhel9@sha256:eeaf14966d50a750a665ef6304f3ca82b50c0cfe147acf796714ddd0642d51f2_ppc64le as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/cluster-curator-controller-rhel9@sha256:5e4dde4a4e91f67ad09ea3fe2b685731570fbbdab3bed1729f727ed50728f0aa_amd64 as a component of multicluster engine for Kubernetes 2.8 | *, *, registry.redhat.io/multicluster-engine/cluster-curator-controller-rhel9@sha256:5e4dde4a4e91f67ad09ea3fe2b685731570fbbdab3bed1729f727ed50728f0aa_amd64 |
| Red Hat | registry.redhat.io/multicluster-engine/cluster-api-provider-agent-rhel9@sha256:a368438d68a76db54dc21edee2a9dfe0356201730e5edaf3efe2e5d35cf4812b_arm64 as a component of multicluster engine for Kubernetes 2.8 | registry.redhat.io/multicluster-engine/cluster-api-provider-agent-rhel9@sha256:a368438d68a76db54dc21edee2a9dfe0356201730e5edaf3efe2e5d35cf4812b_arm64, *, registry.redhat.io/multicluster-engine/cluster-api-provider-agent-rhel9@sha256:a368438d68a76db54dc21edee2a9dfe0356201730e5edaf3efe2e5d35cf4812b_arm64 |
| Red Hat | registry.redhat.io/multicluster-engine/cluster-image-set-controller-rhel9@sha256:ad396a22c7dfc18d3755b5226322b02cf53e9d889d8c4c0fd9f3fc18640d5229_arm64 as a component of multicluster engine for Kubernetes 2.8 | registry.redhat.io/multicluster-engine/cluster-image-set-controller-rhel9@sha256:ad396a22c7dfc18d3755b5226322b02cf53e9d889d8c4c0fd9f3fc18640d5229_arm64, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/cluster-api-provider-agent-rhel9@sha256:d4e3c622c9e9e9fd7715efe0675082b313811c3ad4be4d483b0bd6df4137b98d_s390x as a component of multicluster engine for Kubernetes 2.8 | registry.redhat.io/multicluster-engine/cluster-api-provider-agent-rhel9@sha256:d4e3c622c9e9e9fd7715efe0675082b313811c3ad4be4d483b0bd6df4137b98d_s390x, registry.redhat.io/multicluster-engine/cluster-api-provider-agent-rhel9@sha256:d4e3c622c9e9e9fd7715efe0675082b313811c3ad4be4d483b0bd6df4137b98d_s390x, registry.redhat.io/multicluster-engine/cluster-api-provider-agent-rhel9@sha256:d4e3c622c9e9e9fd7715efe0675082b313811c3ad4be4d483b0bd6df4137b98d_s390x |
| Red Hat | registry.redhat.io/multicluster-engine/clusterclaims-controller-rhel9@sha256:ddda8b74fb8cbde98a90fc89c62608dce08a022c0e63ae90a1a0b52123da1c2c_s390x as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/hive-rhel9@sha256:d2cc92420cffc159ce7f27104ba9e49745198e9e3314683209624e4a1a3f041a_amd64 as a component of multicluster engine for Kubernetes 2.8 | *, registry.redhat.io/multicluster-engine/hive-rhel9@sha256:d2cc92420cffc159ce7f27104ba9e49745198e9e3314683209624e4a1a3f041a_amd64, registry.redhat.io/multicluster-engine/hive-rhel9@sha256:d2cc92420cffc159ce7f27104ba9e49745198e9e3314683209624e4a1a3f041a_amd64 |
| Red Hat | registry.redhat.io/multicluster-engine/clusterclaims-controller-rhel9@sha256:b496e4274643266a37d7ba7134f71e3aa262df65e4c04b9148ee9d7a67da669a_arm64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/placement-rhel9@sha256:32e1fac10eb855484152f41d6a2e4b3fa6fb9c63afd10c5d546db29916f40816_amd64 as a component of multicluster engine for Kubernetes 2.8 | *, *, registry.redhat.io/multicluster-engine/placement-rhel9@sha256:32e1fac10eb855484152f41d6a2e4b3fa6fb9c63afd10c5d546db29916f40816_amd64 |
| Red Hat | registry.redhat.io/multicluster-engine/multicloud-manager-rhel9@sha256:5a063e1f8a5d0ff90f7c948f332fff502fc00be8ede14bd0ef4b38ab09717c72_arm64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/registration-rhel9@sha256:548fe802bc62d3ff20ee0b13dcd9792eb304f11d5d496562ad1c2d80b5796c67_amd64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/managedcluster-import-controller-rhel9@sha256:3cdd76fda529eb46161cac023a40b1420d85cfe6ac9100986796e4f49ea5e7c2_amd64 as a component of multicluster engine for Kubernetes 2.8 | registry.redhat.io/multicluster-engine/managedcluster-import-controller-rhel9@sha256:3cdd76fda529eb46161cac023a40b1420d85cfe6ac9100986796e4f49ea5e7c2_amd64, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/cluster-api-provider-agent-rhel9@sha256:a368438d68a76db54dc21edee2a9dfe0356201730e5edaf3efe2e5d35cf4812b_arm64 as a component of multicluster engine for Kubernetes 2.8 | *, *, * |
| Red Hat | registry.redhat.io/multicluster-engine/managedcluster-import-controller-rhel9@sha256:132e7098ba9e2ac1e02e04e828359073ecc322a5e9e804badb1e0e5934ff32fe_s390x as a component of multicluster engine for Kubernetes 2.8 | *, registry.redhat.io/multicluster-engine/managedcluster-import-controller-rhel9@sha256:132e7098ba9e2ac1e02e04e828359073ecc322a5e9e804badb1e0e5934ff32fe_s390x, * |
| Red Hat | registry.redhat.io/multicluster-engine/cluster-proxy-addon-rhel9@sha256:d69c9156ba667438e59cb8c71a905fd92a26e830629a5c20223d70173a64a95b_ppc64le as a component of multicluster engine for Kubernetes 2.8 | registry.redhat.io/multicluster-engine/cluster-proxy-addon-rhel9@sha256:d69c9156ba667438e59cb8c71a905fd92a26e830629a5c20223d70173a64a95b_ppc64le, registry.redhat.io/multicluster-engine/cluster-proxy-addon-rhel9@sha256:d69c9156ba667438e59cb8c71a905fd92a26e830629a5c20223d70173a64a95b_ppc64le, registry.redhat.io/multicluster-engine/cluster-proxy-addon-rhel9@sha256:d69c9156ba667438e59cb8c71a905fd92a26e830629a5c20223d70173a64a95b_ppc64le |
| Red Hat | registry.redhat.io/multicluster-engine/multicloud-manager-rhel9@sha256:31b3f532cfa55e76563251f01008c9998b71ba33a4dd75c3307db32173d6ff39_amd64 |
…and 208 more
Timeline
- Apr 15, 2026 CVE Published
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Distribution Patch
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
- Apr 24, 2026 Security Advisory
References
- https://access.redhat.com/errata/RHSA-2026:8218 advisory
- https://access.redhat.com/security/cve/CVE-2025-13465 advisory
- https://access.redhat.com/security/cve/CVE-2025-47907 advisory
- https://access.redhat.com/security/cve/CVE-2025-58183 advisory
- https://access.redhat.com/security/cve/CVE-2025-61726 advisory
- https://access.redhat.com/security/cve/CVE-2025-61729 advisory
- https://access.redhat.com/security/cve/CVE-2025-68121 advisory
- https://access.redhat.com/security/cve/CVE-2026-22029 advisory
- https://access.redhat.com/security/cve/CVE-2026-25639 advisory
- https://access.redhat.com/security/cve/CVE-2026-29063 advisory
- https://access.redhat.com/security/updates/classification/ advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_8218.json advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2431740 issue
- https://www.cve.org/CVERecord?id=CVE-2025-13465 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-13465 advisory
- https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2387083 issue
- https://www.cve.org/CVERecord?id=CVE-2025-47907 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-47907 advisory
- https://go.dev/cl/693735 advisory
…and 48 more