VYPR

apk package

chainguard/awx

pkg:apk/chainguard/awx

Vulnerabilities (120)

  • CVE-2026-54274Jun 15, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    ### Summary If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. ### Impact If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive m

  • CVE-2026-54275lowJun 15, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    ### Summary The `server_hostname` TLS SNI check can be bypassed when an existing connection is reused. ### Impact If an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by reus

  • CVE-2026-54280lowJun 15, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    ### Summary Payload resources are not closed correctly when a client disconnects in the middle of a write. ### Impact If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection

  • CVE-2026-54273Jun 15, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    ### Summary No limit was present on the number of pipelined requests that could be queued. ### Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dfd

  • CVE-2026-54278Jun 15, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    ### Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. ### Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip

  • CVE-2026-54277Jun 15, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    ### Summary It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. ### Impact If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an exces

  • CVE-2026-54276Jun 15, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    ### Summary ``DigestAuthMiddleware`` can send an authentication response after following a cross-origin redirect. ### Impact If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest. This likel

  • CVE-2026-54279lowJun 15, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    ### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disall

  • CVE-2026-53550Jun 15, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-44496HigJun 11, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments

  • CVE-2026-44495HigJun 11, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transf

  • CVE-2026-44494HigJun 11, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-

  • CVE-2026-44492HigJun 11, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:

  • CVE-2026-44490MedJun 11, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios sil

  • CVE-2026-44487HigJun 11, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial

  • CVE-2026-44486HigJun 11, 2026
    affected < 24.6.1-r42fixed 24.6.1-r42

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorizati

  • CVE-2026-47265HigJun 2, 2026
    affected < 24.6.1-r38fixed 24.6.1-r38

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then

  • CVE-2026-34993MedJun 2, 2026
    affected < 24.6.1-r38fixed 24.6.1-r38

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is

  • CVE-2026-48526HigMay 28, 2026
    affected < 24.6.1-r41fixed 24.6.1-r41

    PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer publ

  • CVE-2026-48525MedMay 28, 2026
    affected < 24.6.1-r41fixed 24.6.1-r41

    PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-p

Page 1 of 6