Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:14873 advisory.

    Red Hat Satellite is a system management solution that allows organizations     to configure and maintain their systems without the necessity to provide     public Internet access to their servers or other client systems. It     performs provisioning and configuration management of predefined standard     operating environments.

    Security Fix(es):

    * python-pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image (CVE-2026-25990)

    * candlepin: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects     (CVE-2026-27727)

    * python-markdown: denial of service via malformed HTML-like sequences (CVE-2025-69534)

    * python-pyOpenSSL: DTLS cookie callback buffer overflow (CVE-2026-27459)

    * rubygem-activesupport: Active Support: Denial of Service via large scientific notation strings     (CVE-2026-33176)

    Bug Fix(es):

    * Satellite manifest consumer profile cert and key found in satellite client rhsm cache (SAT-43920)

    * All communication should happen only over https during global registration execution (SAT-43921)

    * Impossible to generate registration command via REST API in isolated networks managed by external     capsules (SAT-43922)

    * Errata applicability and Refresh applicability tasks for RHEL 7 hosts runs dnf command. (SAT-43923)

    * BIOS info is not populated in All hosts page and in Host Details tab (SAT-43925)

    * Executing the 'katello::clean_backend_objects' rake task takes a long time to complete (SAT-43926)

    * Puppet fact parser can't create OS entry blocking Satellite leapp upgrades (SAT-43928)

    * No repositories available through subscriptions on a cloud-instance host after registering it to Red Hat     Satellite using global registration method (SAT-43929)

    * Proxy password shown in clear text in the Overview page of Virt-who Configuration (SAT-43931)

    * Non-admin users on Satellite with viewer role, unable to see the hostgroup. (SAT-44039)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:14874 advisory.

    Red Hat Satellite is a system management solution that allows organizations     to configure and maintain their systems without the necessity to provide     public Internet access to their servers or other client systems. It     performs provisioning and configuration management of predefined standard     operating environments.

    Security Fix(es):

    * python-pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image (CVE-2026-25990)

    * candlepin: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects     (CVE-2026-27727)

    * python-markdown: denial of service via malformed HTML-like sequences (CVE-2025-69534)

    * python-pyOpenSSL: DTLS cookie callback buffer overflow (CVE-2026-27459)

    * rubygem-activesupport: Active Support: Denial of Service via large scientific notation strings     (CVE-2026-33176)

    Bug Fix(es):

    * Satellite manifest consumer profile cert and key found in satellite client rhsm cache (SAT-43030)

    * All communication should happen only over https during global registration execution (SAT-44031)

    * Impossible to generate registration command via REST API in isolated networks managed by external     capsules (SAT-44032)

    * Executing the 'katello::clean_backend_objects' rake task takes a long time to complete (SAT-44033)

    * Puppet fact parser can't create OS entry blocking Satellite leapp upgrades (SAT-44035)

    * No repositories available through subscriptions on a cloud-instance host after registering it to Red Hat     Satellite using global registration method (SAT-44036)

    * Proxy password shown in clear text in the Overview page of Virt-who Configuration (SAT-43834)

    * Non-admin users on Satellite with viewer role, unable to see the hostgroup. (SAT-44034)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:14835 advisory.

    Red Hat Satellite is a system management solution that allows organizations     to configure and maintain their systems without the necessity to provide     public Internet access to their servers or other client systems. It     performs provisioning and configuration management of predefined standard     operating environments.

    Security Fix(es):

    * python3.12-django: Django: SQL Injection via crafted column aliases     (CVE-2026-1287)
    * python3.12-django: Django: SQL Injection via RasterField band index     parameter (CVE-2026-1207)
    * python3.12-django: Django: SQL injection via crafted column aliases in     QuerySet.order_by() (CVE-2026-1312)
    * python3.12-django: Django: Denial of Service via crafted HTML inputs     (CVE-2026-1285)
    * python3.12-django: Django: Denial of Service via crafted request with     duplicate headers (CVE-2025-14550)
    * python3.12-markdown: markdown: Denial of Service via malformed     HTML-like sequences (CVE-2025-69534)
    * python3.12-pyOpenSSL: pyOpenSSL: DTLS cookie callback buffer overflow     (CVE-2026-27459)
    * rubygem-activesupport: Active Support: Denial of Service via large     scientific notation strings (CVE-2026-33176)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the rubygem package has been released.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails     framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings     containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands into extremely large decimal     representations. This can cause excessive memory allocation and CPU consumption when the expanded number     is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a     patch. (CVE-2026-33176)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
313174	RHEL 9 : Satellite 6.17.8 Async Update (Important) (RHSA-2026:14873)	Nessus	Red Hat Local Security Checks	critical
313105	RHEL 8 / 9 : Satellite 6.16.8 Async Update (Important) (RHSA-2026:14874)	Nessus	Red Hat Local Security Checks	critical
313104	RHEL 9 : Satellite 6.18.5 Async Update (Important) (RHSA-2026:14835)	Nessus	Red Hat Local Security Checks	critical
305990	Photon OS 4.0: Rubygem PHSA-2026-4.0-0995	Nessus	PhotonOS Local Security Checks	high
305120	Photon OS 5.0: Rubygem PHSA-2026-5.0-0802	Nessus	PhotonOS Local Security Checks	high
303682	Linux Distros Unpatched Vulnerability : CVE-2026-33176	Nessus	Misc.	high

Detections

Analytics

CVE-2026-33176

high

Tenable Plugins

critical

critical

critical

high

high

high