chore(deps): update registry.redhat.io/openshift4/ose-cli-rhel9 docker digest to e0ed0aa [security]

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change
registry.redhat.io/openshift4/ose-cli-rhel9	stage	digest	dcb3f93 → e0ed0aa

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

axios: Axios: Remote Code Execution via Prototype Pollution escalation

CVE-2026-40175

More information

Details

A flaw was found in Axios, a promise-based HTTP client. This vulnerability, known as Prototype Pollution, can be exploited through a specific "Gadget" attack chain. This allows an attacker to escalate a Prototype Pollution vulnerability in a third-party dependency, potentially leading to remote code execution or a full cloud compromise, such as bypassing AWS IMDSv2.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-40175
• https://bugzilla.redhat.com/show_bug.cgi?id=2457432
• https://www.cve.org/CVERecord?id=CVE-2026-40175
• https://nvd.nist.gov/vuln/detail/CVE-2026-40175
• https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1
• https://github.com/axios/axios/pull/10660
• https://github.com/axios/axios/releases/tag/v1.15.0
• https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx

---

Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code

CVE-2026-35469

More information

Details

A flaw was found in the SPDY streaming code used by Kubelet, CRI-O, and kube-apiserver. An attacker with specific cluster roles, such as those allowing access to pod port forwarding, execution, or attachment, or node proxying, could exploit this vulnerability. This could lead to a Denial of Service (DoS) by causing the affected components to become unresponsive.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-35469
• https://bugzilla.redhat.com/show_bug.cgi?id=2457729
• https://www.cve.org/CVERecord?id=CVE-2026-35469
• https://nvd.nist.gov/vuln/detail/CVE-2026-35469

---

golang: cmd/compile: no-op interface conversion bypasses overlap checking

CVE-2026-27144

More information

Details

A flaw was found in the cmd/compile package in the Go standard library. A no-op interface conversion prevented the compiler from correctly identifying non-overlapping memory moves. As a result, the compiler allows unsafe memory move operations to occur at runtime, potentially causing data corruption, memory corruption or unexpected application behavior.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-27144
• https://bugzilla.redhat.com/show_bug.cgi?id=2456340
• https://www.cve.org/CVERecord?id=CVE-2026-27144
• https://nvd.nist.gov/vuln/detail/CVE-2026-27144
• https://go.dev/cl/763764
• https://go.dev/issue/78371
• https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
• https://pkg.go.dev/vuln/GO-2026-4867

---

lodash: lodash: Arbitrary code execution via untrusted input in template imports

CVE-2026-4800

More information

Details

A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-4800
• https://bugzilla.redhat.com/show_bug.cgi?id=2453496
• https://www.cve.org/CVERecord?id=CVE-2026-4800
• https://nvd.nist.gov/vuln/detail/CVE-2026-4800
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-35jh-r3h4-6jhm
• https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c

---

golang: cmd/compile: possible memory corruption after bound check elimination

CVE-2026-27143

More information

Details

A flaw was found in the cmd/compile package in the Go standard library. The compiler fails to correctly check for integer overflow or underflow in arithmetic operations involving loop induction variables. As a result, the compiler allows invalid memory indexing to occur at runtime, potentially leading to memory corruption.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-27143
• https://bugzilla.redhat.com/show_bug.cgi?id=2456342
• https://www.cve.org/CVERecord?id=CVE-2026-27143
• https://nvd.nist.gov/vuln/detail/CVE-2026-27143
• https://go.dev/cl/763765
• https://go.dev/issue/78333
• https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
• https://pkg.go.dev/vuln/GO-2026-4868

---

serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization

CVE-2026-34043

More information

Details

A flaw was found in serialize-javascript. An attacker can exploit this vulnerability by providing a specially crafted "array-like" object with an excessively large length property during the serialization process. This action causes the application to enter an intensive loop, leading to 100% CPU consumption and an indefinite hang. The primary consequence is a Denial of Service (DoS), making the affected system unresponsive.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-34043
• https://bugzilla.redhat.com/show_bug.cgi?id=2453284
• https://www.cve.org/CVERecord?id=CVE-2026-34043
• https://nvd.nist.gov/vuln/detail/CVE-2026-34043
• https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b
• https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5
• https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v

---

github.com/go-jose/go-jose/v3: github.com/go-jose/go-jose/v4: Go JOSE: Denial of Service via crafted JSON Web Encryption (JWE) object

CVE-2026-34986

More information

Details

A flaw was found in Go JOSE, a library for handling JSON Web Encryption (JWE) objects. A remote attacker could exploit this vulnerability by providing a specially crafted JWE object. When decrypting such an object, if a key wrapping algorithm is specified but the encrypted key field is empty, the application can crash. This leads to a denial of service (DoS), making the affected service unavailable to legitimate users.

Severity

Important

References

• https://access.redhat.com/security/cve/CVE-2026-34986
• https://bugzilla.redhat.com/show_bug.cgi?id=2455470
• https://www.cve.org/CVERecord?id=CVE-2026-34986
• https://nvd.nist.gov/vuln/detail/CVE-2026-34986
• https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8
• https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 33.85%. Comparing base (e451734) to head (fbfd2bf).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #94   +/-   ##
=======================================
  Coverage   33.85%   33.85%           
=======================================
  Files          19       19           
  Lines        1870     1870           
=======================================
  Hits          633      633           
  Misses       1193     1193           
  Partials       44       44           

Flag	Coverage Δ
unit	33.85% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.