Quay

This hub aggregates every CVE we track for Quay, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Quay.

• CVE-2026-6848Quay: red hat quay: authentication bypass allows privileged actions without valid credentials5.4Apr 22, 2026
• CVE-2026-32591Mirror-registry: quay: server-side request forgery in proxy cache upstream registry configuration5.2Apr 8, 2026
• CVE-2026-32590Mirror-registry: remote code execution using pickle deserialization7.1Apr 8, 2026
• CVE-2026-32589Mirror-registry: quay: insecure direct object reference in blobupload7.4Apr 8, 2026
• CVE-2026-2377Mirror-registry: quay: quay: server-side request forgery via log export functionality6.5Apr 8, 2026
• CVE-2026-2376Mirror-registry: quay: quay: server-side request forgery via open redirect vulnerability in web interface4.9Mar 12, 2026
• CVE-2025-4374Quay: incorrect privilege assignment6.5May 6, 2025
• CVE-2024-9683Quay: quay allows successful authentication with trucated version of the password4.8Oct 17, 2024
• CVE-2024-5891Quay: unauthorized user may authenticate via oauth application token4.2Jun 12, 2024
• CVE-2023-4956Quay: clickjacking on config-editor page severity6.5Nov 7, 2023
• CVE-2023-44487The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.KEV7.5Oct 10, 2023
• CVE-2023-4959Quay: cross-site request forgery (csrf) on config-editor page6.5Sep 15, 2023
• CVE-2023-3384Quay: stored cross site scripting5.4Jul 24, 2023
• CVE-2020-10735A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s f...7.5Sep 9, 2022
• CVE-2022-2447A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This coul...6.6Sep 1, 2022