apk package
chainguard/dask-kubernetes
pkg:apk/chainguard/dask-kubernetes
Vulnerabilities (41)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-26007 | — | < 2025.7.0-r8 | 2025.7.0-r8 | Feb 10, 2026 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke | ||
| CVE-2026-24049 | — | < 2025.7.0-r8 | 2025.7.0-r8 | Jan 22, 2026 | wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil | ||
| CVE-2026-23949 | — | < 2025.7.0-r6 | 2025.7.0-r6 | Jan 20, 2026 | jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta | ||
| CVE-2026-23490 | — | < 2025.7.0-r6 | 2025.7.0-r6 | Jan 16, 2026 | pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2. | ||
| CVE-2026-23528 | — | < 2025.7.0-r6 | 2025.7.0-r6 | Jan 16, 2026 | Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) b | ||
| CVE-2026-21441 | — | < 2025.7.0-r5 | 2025.7.0-r5 | Jan 7, 2026 | urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b | ||
| CVE-2025-69230 | — | < 2025.7.0-r4 | 2025.7.0-r4 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w | ||
| CVE-2025-69229 | — | < 2025.7.0-r4 | 2025.7.0-r4 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method | ||
| CVE-2025-69228 | — | < 2025.7.0-r4 | 2025.7.0-r4 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ | ||
| CVE-2025-69227 | — | < 2025.7.0-r4 | 2025.7.0-r4 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI | ||
| CVE-2025-69225 | — | < 2025.7.0-r4 | 2025.7.0-r4 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi | ||
| CVE-2025-69226 | — | < 2025.7.0-r4 | 2025.7.0-r4 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica | ||
| CVE-2025-69224 | — | < 2025.7.0-r4 | 2025.7.0-r4 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u | ||
| CVE-2025-69223 | — | < 2025.7.0-r4 | 2025.7.0-r4 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust | ||
| CVE-2025-66471 | — | < 2025.7.0-r2 | 2025.7.0-r2 | Dec 5, 2025 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu | ||
| CVE-2025-66418 | — | < 2025.7.0-r2 | 2025.7.0-r2 | Dec 5, 2025 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a | ||
| CVE-2025-53643 | — | < 2025.7.0-r1 | 2025.7.0-r1 | Jul 14, 2025 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed | ||
| CVE-2025-50182 | — | < 2025.4.3-r4 | 2025.4.3-r4 | Jun 19, 2025 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque | ||
| CVE-2025-50181 | — | < 2025.4.3-r4 | 2025.4.3-r4 | Jun 19, 2025 | urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl | ||
| CVE-2024-47081 | Med | 5.3 | < 0 | 0 | Jun 9, 2025 | Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc |
- CVE-2026-26007Feb 10, 2026affected < 2025.7.0-r8fixed 2025.7.0-r8
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke
- CVE-2026-24049Jan 22, 2026affected < 2025.7.0-r8fixed 2025.7.0-r8
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil
- CVE-2026-23949Jan 20, 2026affected < 2025.7.0-r6fixed 2025.7.0-r6
jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta
- CVE-2026-23490Jan 16, 2026affected < 2025.7.0-r6fixed 2025.7.0-r6
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
- CVE-2026-23528Jan 16, 2026affected < 2025.7.0-r6fixed 2025.7.0-r6
Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) b
- CVE-2026-21441Jan 7, 2026affected < 2025.7.0-r5fixed 2025.7.0-r5
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b
- CVE-2025-69230Jan 5, 2026affected < 2025.7.0-r4fixed 2025.7.0-r4
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w
- CVE-2025-69229Jan 5, 2026affected < 2025.7.0-r4fixed 2025.7.0-r4
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method
- CVE-2025-69228Jan 5, 2026affected < 2025.7.0-r4fixed 2025.7.0-r4
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ
- CVE-2025-69227Jan 5, 2026affected < 2025.7.0-r4fixed 2025.7.0-r4
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI
- CVE-2025-69225Jan 5, 2026affected < 2025.7.0-r4fixed 2025.7.0-r4
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi
- CVE-2025-69226Jan 5, 2026affected < 2025.7.0-r4fixed 2025.7.0-r4
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica
- CVE-2025-69224Jan 5, 2026affected < 2025.7.0-r4fixed 2025.7.0-r4
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u
- CVE-2025-69223Jan 5, 2026affected < 2025.7.0-r4fixed 2025.7.0-r4
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust
- CVE-2025-66471Dec 5, 2025affected < 2025.7.0-r2fixed 2025.7.0-r2
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu
- CVE-2025-66418Dec 5, 2025affected < 2025.7.0-r2fixed 2025.7.0-r2
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a
- CVE-2025-53643Jul 14, 2025affected < 2025.7.0-r1fixed 2025.7.0-r1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed
- CVE-2025-50182Jun 19, 2025affected < 2025.4.3-r4fixed 2025.4.3-r4
urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque
- CVE-2025-50181Jun 19, 2025affected < 2025.4.3-r4fixed 2025.4.3-r4
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl
- affected < 0fixed 0
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc
Page 2 of 3