CVE-2026-7307
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Lan
CVSS
7.5
High
EPSS
0.7%
p51
KEV
—
Exploit Today
15
0-100
Published: May 19, 2026 · Last modified: Jul 15, 2026 · CWE-1286
0.7%EPSS · 30 days0.7%
2026-06-302026-07-16
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19594
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19595
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19596
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19597
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-7307
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2476526
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19594
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19595
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19596
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:19597
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-7307
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2476526
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7307.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-138787.5 HIG94.2%
——28Malformed BRID/HHIT records can cause `named` to terminate unexpectedly.
This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.2dCVE-2026-425797.5 HIG57.9%
——17Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.2dCVE-2026-256797.5 HIG50.0%
——15url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.13hCVE-2026-332187.5 HIG45.5%
——14NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered.2dCVE-2026-480597.5 HIG45.0%
——14Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path — no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue.2dCVE-2026-278897.5 HIG43.9%
——13NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and so is exposed to anyone who can connect to the websockets port. Versions 2.11.14 and 2.12.5 contains a fix. A workaround is available. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points. If one is able to do so, a defense in depth of restricting either of these will mitigate the attack.2d