Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-25T19:00:19 envoy: Envoy: Injection vulnerability in Query Parameter Handler 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CWE-915

A flaw was found in Envoy. A remote attacker could exploit a weakness in the Query Parameter Handler component, specifically within the `params.add` function. This vulnerability allows for injection, which may lead to limited impacts on the confidentiality, integrity, and availability of the affected system.

OpenShift Service Mesh 2 Not affected openshift-service-mesh/proxyv2-rhel9 OpenShift Service Mesh 3 Not affected openshift-service-mesh/istio-proxyv2-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-6994 https://nvd.nist.gov/vuln/detail/CVE-2026-6994 https://github.com/envoyproxy/envoy/commit/f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4 https://github.com/envoyproxy/envoy/pull/43502/ https://vuldb.com/submit/797241 https://vuldb.com/vuln/359546 https://vuldb.com/vuln/359546/cti