VYPR

apk package

chainguard/actions-runner

pkg:apk/chainguard/actions-runner

Vulnerabilities (29)

  • CVE-2026-11525lowJun 17, 2026
    affected < 2.335.1-r1fixed 2.335.1-r1

    undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

  • CVE-2026-6733lowJun 17, 2026
    affected < 2.335.1-r1fixed 2.335.1-r1

    undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.

  • CVE-2026-9679modJun 17, 2026
    affected < 2.335.1-r1fixed 2.335.1-r1

    undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

  • CVE-2026-12151impJun 17, 2026
    affected < 2.335.1-r1fixed 2.335.1-r1

    undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

  • CVE-2026-53655Jun 15, 2026
    affected < 2.335.1-r2fixed 2.335.1-r2

    ### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header (`

  • CVE-2026-45149MedMay 29, 2026
    affected < 2.334.0-r2fixed 2.334.0-r2

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 mill

  • CVE-2026-42338MedMay 12, 2026
    affected < 2.334.0-r1fixed 2.334.0-r1

    ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi

  • CVE-2026-41675HigMay 7, 2026
    affected < 2.334.0-r1fixed 2.334.0-r1

    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be seriali

  • CVE-2026-41674HigMay 7, 2026
    affected < 2.334.0-r1fixed 2.334.0-r1

    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, syste

  • CVE-2026-41673HigMay 7, 2026
    affected < 2.334.0-r1fixed 2.334.0-r1

    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A suffic

  • CVE-2026-41672HigMay 7, 2026
    affected < 2.334.0-r1fixed 2.334.0-r1

    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML

  • CVE-2026-41907HigApr 24, 2026
    affected < 2.334.0-r0fixed 2.334.0-r0

    uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi

  • CVE-2026-33750MedMar 27, 2026
    affected < 2.333.1-r1fixed 2.333.1-r1

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process

  • CVE-2026-33672MedMar 26, 2026
    affected < 2.333.1-r1fixed 2.333.1-r1

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions

  • CVE-2026-33671HigMar 26, 2026
    affected < 2.333.1-r1fixed 2.333.1-r1

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when c

  • CVE-2026-31802Mar 9, 2026
    affected < 2.332.0-r2fixed 2.332.0-r2

    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd dur

  • CVE-2026-29786Mar 7, 2026
    affected < 2.332.0-r2fixed 2.332.0-r2

    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar

  • CVE-2026-27904Feb 26, 2026
    affected < 2.332.0-r1fixed 2.332.0-r1

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh

  • CVE-2026-27903Feb 26, 2026
    affected < 2.332.0-r1fixed 2.332.0-r1

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a

  • CVE-2026-26996Feb 20, 2026
    affected < 2.332.0-r0fixed 2.332.0-r0

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

Page 1 of 2