RCE in Red Hat Satellite 6
CVE-2026-1961
A flaw was found in Foreman. A remote attacker could exploit a command injection vulnerability in Foreman's WebSocket proxy implementation. This vulnerability arises from the system's use of unsanitized hostname values from compute resourc…
Vulnerability class: Command Injection (OS Command Injection)
EPSS: 0.000 (12.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.0 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.
Affected products
- Red Hat Satellite 6
- Red Hat Satellite 6.16 For Rhel 8 — versions 0:3.12.0.14-1.el8sat
- Red Hat Satellite 6.16 For Rhel 9 — versions 0:3.12.0.14-1.el9sat
- Red Hat Satellite 6.17 For Rhel 9 — versions 0:3.14.0.14-1.el9sat, 0:0.1.23-0.3.el9pc, 0:1.2.0-0.1.el9pc
- Red Hat Satellite 6.18 For Rhel 9 — versions 0:3.16.0.12-1.el9sat
Weakness classification (CWE)
References
- RHSA-2026:5968 (vendor-advisory, x_refsource_REDHAT)
- RHSA-2026:5970 (vendor-advisory, x_refsource_REDHAT)
- RHSA-2026:5971 (vendor-advisory, x_refsource_REDHAT)
- access.redhat.com/security/cve/CVE-2026-1961 (vdb-entry, x_refsource_REDHAT)
- RHBZ#2437036 (issue-tracking, x_refsource_REDHAT)
Frequently asked questions
- What is CVE-2026-1961?
- CVE-2026-1961 is a high-severity vulnerability in Red Hat Satellite 6, classified under OS Command Injection. CVSS score: 8.0/10. Published 2026-03-26.
- How severe is CVE-2026-1961?
- High severity. CVSS v3 base score is 8.0 out of 10.