HIGH SeverityCVSS 3.18.0CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE-2026-1961
Last updated Mar 27, 2026 · Published Mar 26, 2026
Description
A flaw was found in Foreman. A remote attacker could exploit a command injection vulnerability in Foreman's WebSocket proxy implementation. This vulnerability arises from the system's use of unsanitized hostname values from compute resource providers when constructing shell commands. By operating a malicious compute resource server, an attacker could achieve remote code execution on the Foreman server when a user accesses VM VNC console functionality. This could lead to the compromise of sensitive credentials and the entire managed infrastructure.
Affected products
1 listed- Red Hat:Red Hat Satellite 6; Red Hat:Red Hat Satellite 6.16 for RHEL 8; Red Hat:Red Hat Satellite 6.16 for RHEL 9; Red Hat:Red Hat Satellite 6.17 for RHEL 9; Red Hat:Red Hat Satellite 6.18 for RHEL 9
Mappings
CWE
None listed.
CAPEC
None listed.
CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms