VYPR

apk package

chainguard/datahub-ingestion

pkg:apk/chainguard/datahub-ingestion

Vulnerabilities (29)

  • CVE-2026-54911Jun 19, 2026
    affected < 1.6.0-r4fixed 1.6.0-r4

    ### Summary `ujson.dumps()` (or `ujson.dump()` or `ujson.encode()`) have a `reject_bytes=False` option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input

  • CVE-2026-55865Jun 19, 2026
    affected < 1.6.0-r4fixed 1.6.0-r4

    ### Impact Given a malformed `{% case %}` tag without associated `{% when %}` or `{% else %}` block, and no terminating `{% endcase %}` tag, Python Liquid hangs in an infinite loop at parse time. This allows malicious template authors to craft templates for a denial of service at

  • CVE-2026-47265HigJun 2, 2026
    affected < 1.6.0-r2fixed 1.6.0-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then

  • CVE-2026-34993MedJun 2, 2026
    affected < 1.6.0-r2fixed 1.6.0-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is

  • CVE-2026-45017HigMay 28, 2026
    affected < 1.5.0.6-r0fixed 1.5.0.6-r0

    Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template author

  • CVE-2026-44432HigMay 13, 2026
    affected < 1.5.0.6-r0fixed 1.5.0.6-r0

    urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w

  • CVE-2026-44431MedMay 13, 2026
    affected < 1.5.0.6-r0fixed 1.5.0.6-r0

    urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

  • CVE-2026-42266HigMay 13, 2026
    affected < 1.5.0.4-r0fixed 1.5.0.4-r0

    JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced

  • CVE-2026-40171HigMay 6, 2026
    affected < 1.5.0.4-r0fixed 1.5.0.4-r0

    In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be ch

  • CVE-2026-40934MedMay 5, 2026
    affected < 1.5.0.4-r0fixed 1.5.0.4-r0

    Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password

  • CVE-2026-40110HigMay 5, 2026
    affected < 1.5.0.4-r0fixed 1.5.0.4-r0

    Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string

  • CVE-2026-35397HigMay 5, 2026
    affected < 1.5.0.4-r0fixed 1.5.0.4-r0

    Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the r

  • CVE-2025-61669MedMay 5, 2026
    affected < 1.5.0.4-r0fixed 1.5.0.4-r0

    Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values su

  • CVE-2026-41425MedApr 24, 2026
    affected < 1.5.0.3-r0fixed 1.5.0.3-r0

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

  • CVE-2026-41066HigApr 24, 2026
    affected < 1.5.0.6-r0fixed 1.5.0.6-r0

    lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolv

  • CVE-2026-34525MedApr 1, 2026
    affected < 1.6.0-r1fixed 1.6.0-r1

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.

  • CVE-2026-34520CriApr 1, 2026
    affected < 1.6.0-r1fixed 1.6.0-r1

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.

  • CVE-2026-34519MedApr 1, 2026
    affected < 1.6.0-r1fixed 1.6.0-r1

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

  • CVE-2026-34518MedApr 1, 2026
    affected < 1.6.0-r1fixed 1.6.0-r1

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in

  • CVE-2026-34517MedApr 1, 2026
    affected < 1.6.0-r1fixed 1.6.0-r1

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.

Page 1 of 2