VYPR

apk package

chainguard/airflow-core-2

pkg:apk/chainguard/airflow-core-2

Vulnerabilities (41)

  • CVE-2026-27199Feb 21, 2026
    affected < 2.11.1-r0fixed 2.11.1-r0

    Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account f

  • CVE-2025-65995Feb 21, 2026
    affected < 2.11.1-r0fixed 2.11.1-r0

    When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view

  • CVE-2026-26007Feb 10, 2026
    affected < 2.11.0-r14fixed 2.11.0-r14

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke

  • CVE-2026-0994HigJan 23, 2026
    affected < 2.11.1-r0fixed 2.11.1-r0

    A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l

  • CVE-2025-68675Jan 16, 2026
    affected < 2.11.1-r0fixed 2.11.1-r0

    In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log out

  • CVE-2026-21860Jan 8, 2026
    affected < 0fixed 0

    Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are i

  • CVE-2026-21441Jan 7, 2026
    affected < 2.11.0-r12fixed 2.11.0-r12

    urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b

  • CVE-2025-68480MedDec 22, 2025
    affected < 2.11.0-r10fixed 2.11.0-r10

    Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request

  • CVE-2025-66471Dec 5, 2025
    affected < 2.11.0-r9fixed 2.11.0-r9

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu

  • CVE-2025-66418Dec 5, 2025
    affected < 2.11.0-r9fixed 2.11.0-r9

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a

  • CVE-2025-66221Nov 29, 2025
    affected < 0fixed 0

    Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every direc

  • CVE-2025-58065Sep 11, 2025
    affected < 2.11.2-r5fixed 2.11.2-r5

    Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in th

  • CVE-2025-53643Jul 14, 2025
    affected < 2.11.0-r4fixed 2.11.0-r4

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed

  • CVE-2025-50182Jun 19, 2025
    affected < 2.11.0-r3fixed 2.11.0-r3

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque

  • CVE-2025-50181Jun 19, 2025
    affected < 2.11.0-r3fixed 2.11.0-r3

    urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl

  • CVE-2024-47081MedJun 9, 2025
    affected < 2.11.0-r2fixed 2.11.0-r2

    Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc

  • CVE-2025-32962May 16, 2025
    affected < 2.11.2-r5fixed 2.11.2-r5

    Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the `FAB_SAFE_

  • CVE-2024-49767Oct 25, 2024
    affected < 2.11.1-r0fixed 2.11.1-r0

    Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively

  • CVE-2024-49766Oct 25, 2024
    affected < 2.11.1-r0fixed 2.11.1-r0

    Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended

  • CVE-2024-34069May 6, 2024
    affected < 2.11.1-r0fixed 2.11.1-r0

    Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain