VYPR

apk package

chainguard/authentik-fips

pkg:apk/chainguard/authentik-fips

Vulnerabilities (21)

  • CVE-2026-30922HigMar 18, 2026
    affected < 2026.2.1-r3fixed 2026.2.1-r3

    pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousa

  • CVE-2026-27459Mar 17, 2026
    affected < 2026.2.1-r3fixed 2026.2.1-r3

    pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Sta

  • CVE-2026-27448Mar 17, 2026
    affected < 2026.2.1-r3fixed 2026.2.1-r3

    pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying

  • CVE-2026-32597HigMar 13, 2026
    affected < 2026.2.1-r3fixed 2026.2.1-r3

    PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token i

  • CVE-2026-25674Mar 3, 2026
    affected < 2026.2.1-r0fixed 2026.2.1-r0

    An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, w

  • CVE-2026-25673Mar 3, 2026
    affected < 2026.2.1-r0fixed 2026.2.1-r0

    An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. `URLField.to_python()` in Django calls `urllib.parse.urlsplit()`, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote

  • CVE-2025-14550Feb 3, 2026
    affected < 2025.12.1-r2fixed 2025.12.1-r2

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, an

  • CVE-2026-1312Feb 3, 2026
    affected < 2025.12.1-r2fixed 2025.12.1-r2

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `Filtered

  • CVE-2026-1287Feb 3, 2026
    affected < 2025.12.1-r2fixed 2025.12.1-r2

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` m

  • CVE-2026-1285Feb 3, 2026
    affected < 2025.12.1-r2fixed 2025.12.1-r2

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause

  • CVE-2026-1207Feb 3, 2026
    affected < 2025.12.1-r2fixed 2025.12.1-r2

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and

  • CVE-2025-13473Feb 3, 2026
    affected < 2025.12.1-r2fixed 2025.12.1-r2

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Djang

  • CVE-2026-0994HigJan 23, 2026
    affected < 2025.12.1-r2fixed 2025.12.1-r2

    A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l

  • CVE-2026-24049Jan 22, 2026
    affected < 2025.12.1-r2fixed 2025.12.1-r2

    wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil

  • CVE-2025-67221Jan 22, 2026
    affected < 2026.2.1-r3fixed 2026.2.1-r3

    The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.

  • CVE-2026-23949Jan 20, 2026
    affected < 2025.12.1-r2fixed 2025.12.1-r2

    jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta

  • CVE-2026-23490Jan 16, 2026
    affected < 2025.10.3-r2fixed 2025.10.3-r2

    pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

  • CVE-2026-21226Jan 13, 2026
    affected < 2025.10.3-r2fixed 2025.10.3-r2

    Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.

  • CVE-2026-21441Jan 7, 2026
    affected < 2025.10.3-r1fixed 2025.10.3-r1

    urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b

  • CVE-2025-69277MedDec 31, 2025
    affected < 2025.10.3-r1fixed 2025.10.3-r1

    libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic g

Page 1 of 2