VYPR

apk package

chainguard/awx

pkg:apk/chainguard/awx

Vulnerabilities (120)

  • CVE-2026-0994HigJan 23, 2026
    affected < 24.6.1-r26fixed 24.6.1-r26

    A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l

  • CVE-2026-24049Jan 22, 2026
    affected < 24.6.1-r26fixed 24.6.1-r26

    wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil

  • CVE-2026-23949Jan 20, 2026
    affected < 24.6.1-r25fixed 24.6.1-r25

    jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta

  • CVE-2026-21226Jan 13, 2026
    affected < 24.6.1-r25fixed 24.6.1-r25

    Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.

  • CVE-2026-22701Jan 10, 2026
    affected < 24.6.1-r25fixed 24.6.1-r25

    filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race

  • CVE-2026-21441Jan 7, 2026
    affected < 24.6.1-r33fixed 24.6.1-r33

    urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b

  • CVE-2025-69230Jan 5, 2026
    affected < 24.6.1-r23fixed 24.6.1-r23

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w

  • CVE-2025-69229Jan 5, 2026
    affected < 24.6.1-r23fixed 24.6.1-r23

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method

  • CVE-2025-69228Jan 5, 2026
    affected < 24.6.1-r23fixed 24.6.1-r23

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ

  • CVE-2025-69227Jan 5, 2026
    affected < 24.6.1-r23fixed 24.6.1-r23

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI

  • CVE-2025-69225Jan 5, 2026
    affected < 24.6.1-r23fixed 24.6.1-r23

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi

  • CVE-2025-69226Jan 5, 2026
    affected < 24.6.1-r23fixed 24.6.1-r23

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica

  • CVE-2025-69224Jan 5, 2026
    affected < 24.6.1-r23fixed 24.6.1-r23

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u

  • CVE-2025-69223Jan 5, 2026
    affected < 24.6.1-r23fixed 24.6.1-r23

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust

  • CVE-2025-68146Dec 16, 2025
    affected < 24.6.1-r21fixed 24.6.1-r21

    filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows

  • CVE-2025-66471Dec 5, 2025
    affected < 24.6.1-r33fixed 24.6.1-r33

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu

  • CVE-2025-66418Dec 5, 2025
    affected < 24.6.1-r33fixed 24.6.1-r33

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a

  • CVE-2025-64460Dec 2, 2025
    affected < 24.6.1-r20fixed 24.6.1-r20

    An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via

  • CVE-2025-13372Dec 2, 2025
    affected < 24.6.1-r20fixed 24.6.1-r20

    An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.

  • CVE-2025-64718Nov 13, 2025
    affected < 24.6.1-r42fixed 24.6.1-r42

    js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T

Page 5 of 6