apk package
chainguard/arangodb-3.12
pkg:apk/chainguard/arangodb-3.12
Vulnerabilities (16)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-9277 | Hig | 8.1 | < 3.12.9.4-r2 | 3.12.9.4-r2 | May 22, 2026 | shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line te | |
| CVE-2026-8723 | Med | 5.3 | < 3.12.9.3-r1 | 3.12.9.3-r1 | May 17, 2026 | ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`). | |
| CVE-2026-6322 | Hig | 7.5 | < 3.12.7.2-r5 | 3.12.7.2-r5 | May 5, 2026 | fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw | |
| CVE-2026-6321 | Hig | 7.5 | < 3.12.7.2-r5 | 3.12.7.2-r5 | May 4, 2026 | fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize | |
| CVE-2026-4800 | Hig | 8.1 | < 3.12.7.2-r5 | 3.12.7.2-r5 | Mar 31, 2026 | Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a | |
| CVE-2026-2950 | Med | 6.5 | < 3.12.7.2-r5 | 3.12.7.2-r5 | Mar 31, 2026 | Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca | |
| CVE-2026-33750 | Med | 6.5 | < 3.12.7.2-r5 | 3.12.7.2-r5 | Mar 27, 2026 | The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process | |
| CVE-2026-27904 | — | < 3.12.7.2-r3 | 3.12.7.2-r3 | Feb 26, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh | ||
| CVE-2026-27903 | — | < 3.12.7.2-r3 | 3.12.7.2-r3 | Feb 26, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a | ||
| CVE-2026-26996 | — | < 3.12.7.2-r2 | 3.12.7.2-r2 | Feb 20, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact | ||
| CVE-2026-2391 | — | < 3.12.7.2-r2 | 3.12.7.2-r2 | Feb 12, 2026 | ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass | ||
| CVE-2025-69873 | Low | 2.9 | < 3.12.7.2-r2 | 3.12.7.2-r2 | Feb 11, 2026 | ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp( | |
| CVE-2025-13465 | Med | 5.3 | < 3.12.7.2-r0 | 3.12.7.2-r0 | Jan 21, 2026 | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin | |
| CVE-2025-15284 | — | < 3.12.7.1-r1 | 3.12.7.1-r1 | Dec 29, 2025 | Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLim | ||
| CVE-2025-64718 | — | < 3.12.6.1-r1 | 3.12.6.1-r1 | Nov 13, 2025 | js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T | ||
| CVE-2025-5889 | Low | 3.1 | < 3.12.5-r1 | 3.12.5-r1 | Jun 9, 2025 | A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l |
- affected < 3.12.9.4-r2fixed 3.12.9.4-r2
shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line te
- affected < 3.12.9.3-r1fixed 3.12.9.3-r1
### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).
- affected < 3.12.7.2-r5fixed 3.12.7.2-r5
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw
- affected < 3.12.7.2-r5fixed 3.12.7.2-r5
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize
- affected < 3.12.7.2-r5fixed 3.12.7.2-r5
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a
- affected < 3.12.7.2-r5fixed 3.12.7.2-r5
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca
- affected < 3.12.7.2-r5fixed 3.12.7.2-r5
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process
- CVE-2026-27904Feb 26, 2026affected < 3.12.7.2-r3fixed 3.12.7.2-r3
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh
- CVE-2026-27903Feb 26, 2026affected < 3.12.7.2-r3fixed 3.12.7.2-r3
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a
- CVE-2026-26996Feb 20, 2026affected < 3.12.7.2-r2fixed 3.12.7.2-r2
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact
- CVE-2026-2391Feb 12, 2026affected < 3.12.7.2-r2fixed 3.12.7.2-r2
### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass
- affected < 3.12.7.2-r2fixed 3.12.7.2-r2
ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp(
- affected < 3.12.7.2-r0fixed 3.12.7.2-r0
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin
- CVE-2025-15284Dec 29, 2025affected < 3.12.7.1-r1fixed 3.12.7.1-r1
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLim
- CVE-2025-64718Nov 13, 2025affected < 3.12.6.1-r1fixed 3.12.6.1-r1
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T
- affected < 3.12.5-r1fixed 3.12.5-r1
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l