CVE-2026-50589
In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or J
CVSS
5.3
Medium
EPSS
0.4%
p35
KEV
—
Exploit Today
11
0-100
Published: Jun 5, 2026 · Last modified: Jul 15, 2026 · CWE-770 · CWE-502
0.4%EPSS · 30 days0.4%
2026-06-302026-07-18
In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash.
- bugs.launchpad.nethttps://bugs.launchpad.net/ironic/+bug/2154288
- wiki.openstack.orghttps://wiki.openstack.org/wiki/OSSN/OSSN-0099
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/06/06/2
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-50589
- bugs.launchpad.nethttps://bugs.launchpad.net/ironic/+bug/2154288
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2485353
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50589.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2021-422379.8 CRI99.9%
KEV—80Sitecore XP Remote Command Execution Vulnerability10dCVE-2026-456598.8 HIG86.8%
KEV—76Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability17dCVE-2026-586449.8 CRI70.7%
KEV—71Microsoft SharePoint Deserialization of Untrusted Data Vulnerability2dCVE-2026-125699.8 CRI66.0%
KEV—70PTC Windchill and FlexPLM Improper Input Validation Vulnerability19dCVE-2026-217107.5 HIG97.8%
——29A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.
When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.
* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**4dCVE-2026-505229.8 CRI97.2%
——29Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.4d