{}

{}

{}

{"bugzilla": {"description": "manageiq: YAML safe_load production fallback to unsafe_load enables RCE via deserialization", "id": "2486730", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486730"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["A deserialization of untrusted data vulnerability was found in ManageIQ. The YamlLoadAliases module overrides YAML.safe_load to silently fall back to YAML.unsafe_load in production when a Psych::DisallowedClass error occurs. An authenticated attacker with dialog import access can exploit this to achieve remote code execution by uploading a crafted YAML payload that triggers the fallback and deserializes arbitrary Ruby objects."], "mitigation": {"lang": "en:us", "value": "The following practices would help for avoiding exposure to this flaw:\n1) Remove or disable the rescue Psych::DisallowedClass fallback in lib/extensions/yaml_load_aliases.rb.\n2) Alternatively, restrict dialog import access to trusted administrators only."}, "name": "CVE-2026-52903", "public_date": "2026-06-09T07:23:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-52903\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-52903"], "statement": "Red Hat CloudForms, which was based on ManageIQ, has reached End of Life and is no longer supported. No errata or patches will be issued. This CVE is being assigned for the benefit of the ManageIQ community and downstream consumers.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "manageiq", "vendor": "manageiq"}], "created": "2026-06-09T13:45:05.792266+00:00", "updated": "2026-06-09T14:30:07.085793+00:00", "vendors": ["manageiq", "manageiq$PRODUCT$manageiq"]}