VYPR

apk package

chainguard/commercial-grafana-12.4

pkg:apk/chainguard/commercial-grafana-12.4

Vulnerabilities (26)

  • CVE-2026-27140HigApr 8, 2026
    affected < 12.4.3-r0fixed 12.4.3-r0

    SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

  • CVE-2026-33817Apr 6, 2026
    affected < 12.4.2-r0fixed 12.4.2-r0

    Rejected reason: CVE confirmed to be a false positive

  • CVE-2026-32285HigMar 26, 2026
    affected < 12.4.2-r0fixed 12.4.2-r0

    The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

  • CVE-2026-33487HigMar 26, 2026
    affected < 12.4.2-r0fixed 12.4.2-r0

    goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo

  • CVE-2026-33186CriMar 20, 2026
    affected < 12.4.2-r0fixed 12.4.2-r0

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2026-1229Feb 24, 2026
    affected < 12.4.2-r0fixed 12.4.2-r0

    The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://

Page 2 of 2