Red Hat osbuild-composer: Unrestricted File Upload Allows Malicious Data Injection

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Red Hat osbuild-composer: Unrestricted File Upload Allows Malicious Data Injection

RHSA-2026:2688

Summary

A security issue was found in osbuild-composer, a tool used to build operating system images. An attacker could potentially upload malicious files, allowing them to inject malicious data into the system. To fix this issue, ensure you have the latest version of osbuild-composer installed on your system.

What to do

Update redhat osbuild-composer to version 0:76.1-4.el9_2.
Update redhat osbuild-composer-core to version 0:76.1-4.el9_2.
Update redhat osbuild-composer-core-debuginfo to version 0:76.1-4.el9_2.
Update redhat osbuild-composer-debuginfo to version 0:76.1-4.el9_2.
Update redhat osbuild-composer-debugsource to version 0:76.1-4.el9_2.
Update redhat osbuild-composer-dnf-json to version 0:76.1-4.el9_2.
Update redhat osbuild-composer-tests-debuginfo to version 0:76.1-4.el9_2.
Update redhat osbuild-composer-worker to version 0:76.1-4.el9_2.
Update redhat osbuild-composer-worker-debuginfo to version 0:76.1-4.el9_2.

Affected software

Vendor	Product	Affected versions	Fix available
redhat	osbuild-composer	<= 0:76.1-4.el9_2	0:76.1-4.el9_2
redhat	osbuild-composer-core	<= 0:76.1-4.el9_2	0:76.1-4.el9_2
redhat	osbuild-composer-core-debuginfo	<= 0:76.1-4.el9_2	0:76.1-4.el9_2
redhat	osbuild-composer-debuginfo	<= 0:76.1-4.el9_2	0:76.1-4.el9_2
redhat	osbuild-composer-debugsource	<= 0:76.1-4.el9_2	0:76.1-4.el9_2
redhat	osbuild-composer-dnf-json	<= 0:76.1-4.el9_2	0:76.1-4.el9_2
redhat	osbuild-composer-tests-debuginfo	<= 0:76.1-4.el9_2	0:76.1-4.el9_2
redhat	osbuild-composer-worker	<= 0:76.1-4.el9_2	0:76.1-4.el9_2
redhat	osbuild-composer-worker-debuginfo	<= 0:76.1-4.el9_2	0:76.1-4.el9_2

Original title

Red Hat Security Advisory: osbuild-composer security update

osv CVSS3.1 7.5

https://access.redhat.com/errata/RHSA-2026:2688 Vendor Advisory
https://access.redhat.com/security/updates/classification/#moderate Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2418900 Third Party Advisory
https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2688.j... Vendor Advisory
https://access.redhat.com/security/cve/CVE-2025-65637 Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-65637 Vendor Advisory
https://nvd.nist.gov/vuln/detail/CVE-2025-65637 Vendor Advisory
https://github.com/mjuanxd/logrus-dos-poc Third Party Advisory
https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md Third Party Advisory
https://github.com/sirupsen/logrus/issues/1370 Third Party Advisory
https://github.com/sirupsen/logrus/pull/1376 Third Party Advisory
https://github.com/sirupsen/logrus/releases/tag/v1.8.3 Third Party Advisory
https://github.com/sirupsen/logrus/releases/tag/v1.9.1 Third Party Advisory
https://github.com/sirupsen/logrus/releases/tag/v1.9.3 Third Party Advisory
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391 Third Party Advisory

Published: 17 Feb 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026