VYPR

apk package

chainguard/apache-hop

pkg:apk/chainguard/apache-hop

Vulnerabilities (64)

  • CVE-2026-44892HigJun 12, 2026
    affected < 2.18.0-r6fixed 2.18.0-r6

    Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitl

  • CVE-2026-44890HigJun 11, 2026
    affected < 2.18.0-r2fixed 2.18.0-r2

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts t

  • CVE-2026-44250HigJun 11, 2026
    affected < 2.18.0-r2fixed 2.18.0-r2

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to alloc

  • CVE-2026-44249HigJun 11, 2026
    affected < 2.18.0-r3fixed 2.18.0-r3

    Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid pub

  • CVE-2026-45205MedMay 14, 2026
    affected < 2.17.0-r16fixed 2.17.0-r16

    Uncontrolled Recursion vulnerability in Apache Commons. When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles. This issue affects Apache Commons: from 2.2 before 2.15.0. Users are recommended to upgrade

  • CVE-2026-44248MedMay 13, 2026
    affected < 2.17.0-r15fixed 2.17.0-r15

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is

  • CVE-2026-42586MedMay 13, 2026
    affected < 2.17.0-r15fixed 2.17.0-r15

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) cha

  • CVE-2026-42583HigMay 13, 2026
    affected < 2.17.0-r14fixed 2.17.0-r14

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload

  • CVE-2026-42582HigMay 13, 2026
    affected < 2.17.0-r11fixed 2.17.0-r11

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verif

  • CVE-2026-42579HigMay 13, 2026
    affected < 2.17.0-r13fixed 2.17.0-r13

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS respon

  • CVE-2026-42578HigMay 13, 2026
    affected < 2.17.0-r15fixed 2.17.0-r15

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHea

  • CVE-2026-42577HigMay 13, 2026
    affected < 2.17.0-r15fixed 2.17.0-r15

    Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some

  • CVE-2026-42440HigMay 4, 2026
    affected < 2.17.0-r9fixed 2.17.0-r9

    OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader  Versions Affected:  before 2.5.9 before 3.0.0-M3  Description: The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed inte

  • CVE-2026-42027CriMay 4, 2026
    affected < 2.17.0-r9fixed 2.17.0-r9

    Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description:  The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName(

  • CVE-2026-40682CriMay 4, 2026
    affected < 2.17.0-r9fixed 2.17.0-r9

    XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling F

  • CVE-2026-42779CriMay 1, 2026
    affected < 2.17.0-r10fixed 2.17.0-r10

    The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all

  • CVE-2026-42778CriMay 1, 2026
    affected < 2.17.0-r10fixed 2.17.0-r10

    The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applie

  • CVE-2026-42198HigApr 29, 2026
    affected < 2.17.0-r12fixed 2.17.0-r12

    pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very larg

  • CVE-2026-41409CriApr 27, 2026
    affected < 2.17.0-r10fixed 2.17.0-r10

    The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are A

  • CVE-2026-41635CriApr 27, 2026
    affected < 2.17.0-r10fixed 2.17.0-r10

    Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in th