VYPR

apk package

chainguard/authentik-go-server

pkg:apk/chainguard/authentik-go-server

Vulnerabilities (20)

  • CVE-2026-27142MedMar 6, 2026
    affected < 2026.2.1-r2fixed 2026.2.1-r2

    Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap

  • CVE-2026-27139LowMar 6, 2026
    affected < 2026.2.1-r2fixed 2026.2.1-r2

    On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary

  • CVE-2026-25679HigMar 6, 2026
    affected < 2026.2.1-r2fixed 2026.2.1-r2

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2025-69230Jan 5, 2026
    affected < 2025.10.3-r3fixed 2025.10.3-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w

  • CVE-2025-69229Jan 5, 2026
    affected < 2025.10.3-r3fixed 2025.10.3-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method

  • CVE-2025-69228Jan 5, 2026
    affected < 2025.10.3-r3fixed 2025.10.3-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ

  • CVE-2025-69227Jan 5, 2026
    affected < 2025.10.3-r3fixed 2025.10.3-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI

  • CVE-2025-69225Jan 5, 2026
    affected < 2025.10.3-r3fixed 2025.10.3-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi

  • CVE-2025-69226Jan 5, 2026
    affected < 2025.10.3-r3fixed 2025.10.3-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica

  • CVE-2025-69224Jan 5, 2026
    affected < 2025.10.3-r3fixed 2025.10.3-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u

  • CVE-2025-69223Jan 5, 2026
    affected < 2025.10.3-r3fixed 2025.10.3-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust

  • CVE-2025-69277MedDec 31, 2025
    affected < 2025.10.3-r3fixed 2025.10.3-r3

    libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic g

  • CVE-2025-68131Dec 31, 2025
    affected < 2025.10.3-r2fixed 2025.10.3-r2

    cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28)

  • CVE-2025-66471Dec 5, 2025
    affected < 2025.10.2-r3fixed 2025.10.2-r3

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu

  • CVE-2025-66418Dec 5, 2025
    affected < 2025.10.2-r3fixed 2025.10.2-r3

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a

  • CVE-2025-64460Dec 2, 2025
    affected < 2025.10.2-r2fixed 2025.10.2-r2

    An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via

  • CVE-2025-13372Dec 2, 2025
    affected < 2025.10.2-r2fixed 2025.10.2-r2

    An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.

  • CVE-2025-47914Nov 19, 2025
    affected < 0fixed 0

    SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

  • CVE-2025-58181Nov 19, 2025
    affected < 0fixed 0

    SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

  • CVE-2025-64458Nov 5, 2025
    affected < 0fixed 0

    An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect`