apk package
chainguard/commercial-grafana-11.6
pkg:apk/chainguard/commercial-grafana-11.6
Vulnerabilities (19)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-39824 | Low | 3.3 | < 0 | 0 | May 22, 2026 | NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error. | |
| CVE-2026-42501 | Hig | 7.5 | < 11.6.14-r0 | 11.6.14-r0 | May 7, 2026 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser | |
| CVE-2026-42499 | Hig | 7.5 | < 11.6.14-r0 | 11.6.14-r0 | May 7, 2026 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | |
| CVE-2026-39836 | Hig | 7.5 | < 11.6.14-r0 | 11.6.14-r0 | May 7, 2026 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | |
| CVE-2026-39826 | Med | 6.1 | < 11.6.14-r0 | 11.6.14-r0 | May 7, 2026 | If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block. | |
| CVE-2026-39825 | Med | 5.3 | < 11.6.14-r0 | 11.6.14-r0 | May 7, 2026 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa | |
| CVE-2026-39823 | Med | 6.1 | < 11.6.14-r0 | 11.6.14-r0 | May 7, 2026 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le | |
| CVE-2026-39820 | Hig | 7.5 | < 11.6.14-r0 | 11.6.14-r0 | May 7, 2026 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. | |
| CVE-2026-39819 | Med | 5.3 | < 11.6.14-r0 | 11.6.14-r0 | May 7, 2026 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink. | |
| CVE-2026-39817 | Med | 5.9 | < 11.6.14-r0 | 11.6.14-r0 | May 7, 2026 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem. | |
| CVE-2026-33814 | Hig | 7.5 | < 11.6.14-r0 | 11.6.14-r0 | May 7, 2026 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. | |
| CVE-2026-33811 | Hig | 7.5 | < 11.6.14-r0 | 11.6.14-r0 | May 7, 2026 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. | |
| CVE-2026-33817 | — | < 11.6.14-r0 | 11.6.14-r0 | Apr 6, 2026 | Rejected reason: CVE confirmed to be a false positive | ||
| CVE-2026-28377 | Hig | 7.5 | < 11.6.14-r0 | 11.6.14-r0 | Mar 26, 2026 | A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability | |
| CVE-2026-32285 | Hig | 7.5 | < 11.6.14-r0 | 11.6.14-r0 | Mar 26, 2026 | The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack. | |
| CVE-2026-33487 | Hig | 7.5 | < 11.6.14-r0 | 11.6.14-r0 | Mar 26, 2026 | goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo | |
| CVE-2026-33186 | Cri | 9.1 | < 11.6.14-r0 | 11.6.14-r0 | Mar 20, 2026 | gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi | |
| CVE-2026-1229 | — | < 11.6.14-r0 | 11.6.14-r0 | Feb 24, 2026 | The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https:// | ||
| CVE-2025-8556 | Low | 3.7 | < 11.6.14-r0 | 11.6.14-r0 | Aug 6, 2025 | A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange. |
- affected < 0fixed 0
NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.
- affected < 11.6.14-r0fixed 11.6.14-r0
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
- affected < 11.6.14-r0fixed 11.6.14-r0
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
- affected < 11.6.14-r0fixed 11.6.14-r0
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
- affected < 11.6.14-r0fixed 11.6.14-r0
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
- affected < 11.6.14-r0fixed 11.6.14-r0
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
- affected < 11.6.14-r0fixed 11.6.14-r0
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le
- affected < 11.6.14-r0fixed 11.6.14-r0
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
- affected < 11.6.14-r0fixed 11.6.14-r0
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
- affected < 11.6.14-r0fixed 11.6.14-r0
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
- affected < 11.6.14-r0fixed 11.6.14-r0
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
- affected < 11.6.14-r0fixed 11.6.14-r0
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
- CVE-2026-33817Apr 6, 2026affected < 11.6.14-r0fixed 11.6.14-r0
Rejected reason: CVE confirmed to be a false positive
- affected < 11.6.14-r0fixed 11.6.14-r0
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Thanks to william_goodfellow for reporting this vulnerability
- affected < 11.6.14-r0fixed 11.6.14-r0
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
- affected < 11.6.14-r0fixed 11.6.14-r0
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo
- affected < 11.6.14-r0fixed 11.6.14-r0
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
- CVE-2026-1229Feb 24, 2026affected < 11.6.14-r0fixed 11.6.14-r0
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
- affected < 11.6.14-r0fixed 11.6.14-r0
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.