VYPR

apk package

chainguard/camunda-8.8

pkg:apk/chainguard/camunda-8.8

Vulnerabilities (47)

  • CVE-2026-33870Mar 27, 2026
    affected < 8.8.22-r0fixed 8.8.22-r0

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an

  • CVE-2026-22737MedMar 20, 2026
    affected < 8.8.22-r0fixed 8.8.22-r0

    Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 throug

  • CVE-2026-22735LowMar 20, 2026
    affected < 8.8.22-r0fixed 8.8.22-r0

    Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

  • CVE-2026-22733HigMar 20, 2026
    affected < 8.8.22-r0fixed 8.8.22-r0

    Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 th

  • CVE-2026-22732CriMar 19, 2026
    affected < 8.8.22-r0fixed 8.8.22-r0

    When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0

  • CVE-2026-22731HigMar 19, 2026
    affected < 8.8.22-r0fixed 8.8.22-r0

    Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot:

  • CVE-2026-21452Jan 2, 2026
    affected < 8.8.9-r0fixed 8.8.9-r0

    MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers

Page 3 of 3