CLEANSTART-2026-CF62516

See a problem?
Import Source
https://github.com/cleanstart-dev/cleanstart-security-advisories/blob/main/advisories/2026/CLEANSTART-2026-CF62516.json
JSON Data
https://api.osv.dev/v1/vulns/CLEANSTART-2026-CF62516
Upstream
  • CVE-2026-1225
  • CVE-2026-34757
  • ghsa-25qh-j22f-pwp8
  • ghsa-389x-839f-4rhx
  • ghsa-3p8m-j85q-pgmj
  • ghsa-3pxv-7cmr-fjr4
  • ghsa-4cx2-fc23-5wg6
  • ghsa-4g8c-wm8x-jfhw
  • ghsa-72hv-8253-57qq
  • ghsa-735f-pc8j-v9w8
  • ghsa-7xrh-hqfc-g7qr
  • ghsa-84h7-rjj3-6jx4
  • ghsa-crhr-qqj8-rpxc
  • ghsa-fghv-69vj-qj49
  • ghsa-prj3-ccx8-p6x4
  • ghsa-pwqr-wmgm-9rr8
  • ghsa-qqpg-mvqg-649v
  • ghsa-vc5p-v9hr-52mj
  • ghsa-w9fj-cfpg-grvv
  • ghsa-xq3w-v528-46rv
Published
2026-04-16T00:42:51.354420Z
Modified
2026-04-23T05:01:00.133027Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper s...
Details

Multiple security vulnerabilities affect the kserve-modelmesh package. Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. See references for individual vulnerability details.

References

Affected packages

CleanStart / kserve-modelmesh

Package

Name
kserve-modelmesh

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.12.0-r16

Database specific

source 
"https://github.com/cleanstart-dev/cleanstart-security-advisories/blob/main/advisories/2026/CLEANSTART-2026-CF62516.json"