VYPR

apk package

chainguard/airflow-2

pkg:apk/chainguard/airflow-2

Vulnerabilities (76)

  • CVE-2026-49468criJun 16, 2026
    affected < 2.11.2-r12fixed 2.11.2-r12

    ### Impact A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from `request.url.path` in `litellm/proxy/auth/auth_utils.py::get_request_route()

  • CVE-2026-41425MedApr 24, 2026
    affected < 2.11.2-r8fixed 2.11.2-r8

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

  • CVE-2026-41205HigApr 23, 2026
    affected < 2.11.2-r9fixed 2.11.2-r9

    Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable

  • CVE-2026-40347MedApr 18, 2026
    affected < 2.11.2-r9fixed 2.11.2-r9

    Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the

  • CVE-2025-66236HigApr 13, 2026
    affected < 2.11.2-r11fixed 2.11.2-r11

    Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enoug

  • CVE-2026-39892CriApr 8, 2026
    affected < 2.11.2-r8fixed 2.11.2-r8

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner

  • CVE-2026-35030CriApr 6, 2026
    affected < 2.11.2-r7fixed 2.11.2-r7

    LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, when JWT authentication is enabled (enable_jwt_auth: true), the OIDC userinfo cache uses token[:20] as the cache key. JWT headers produced by the same signing algorithm generate

  • CVE-2026-35029HigApr 6, 2026
    affected < 2.11.2-r7fixed 2.11.2-r7

    LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configura

  • CVE-2026-34525MedApr 1, 2026
    affected < 2.11.2-r5fixed 2.11.2-r5

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.

  • CVE-2026-34520CriApr 1, 2026
    affected < 2.11.2-r5fixed 2.11.2-r5

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.

  • CVE-2026-34519MedApr 1, 2026
    affected < 2.11.2-r5fixed 2.11.2-r5

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

  • CVE-2026-34518MedApr 1, 2026
    affected < 2.11.2-r5fixed 2.11.2-r5

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in

  • CVE-2026-34517MedApr 1, 2026
    affected < 2.11.2-r5fixed 2.11.2-r5

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.

  • CVE-2026-34516HigApr 1, 2026
    affected < 2.11.2-r5fixed 2.11.2-r5

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched

  • CVE-2026-34515HigApr 1, 2026
    affected < 2.11.2-r5fixed 2.11.2-r5

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.

  • CVE-2026-34514MedApr 1, 2026
    affected < 2.11.2-r5fixed 2.11.2-r5

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

  • CVE-2026-34513HigApr 1, 2026
    affected < 2.11.2-r5fixed 2.11.2-r5

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.

  • CVE-2026-22815HigApr 1, 2026
    affected < 2.11.2-r5fixed 2.11.2-r5

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.

  • CVE-2026-34073MedMar 31, 2026
    affected < 2.11.2-r5fixed 2.11.2-r5

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently

  • CVE-2026-33936MedMar 27, 2026
    affected < 2.11.2-r5fixed 2.11.2-r5

    The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2,

Page 1 of 4