VYPR

apk package

chainguard/datahub-ingestion-fips

pkg:apk/chainguard/datahub-ingestion-fips

Vulnerabilities (36)

  • CVE-2026-47265HigJun 2, 2026
    affected < 1.6.0-r1fixed 1.6.0-r1

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then

  • CVE-2026-34993MedJun 2, 2026
    affected < 1.6.0-r1fixed 1.6.0-r1

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is

  • CVE-2026-45017HigMay 28, 2026
    affected < 1.5.0.4-r0fixed 1.5.0.4-r0

    Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template author

  • CVE-2026-44897MedMay 26, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape(), safe_entity(), or any other sanitisation function.

  • CVE-2026-44896MedMay 26, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and earlier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XS

  • CVE-2026-44708MedMay 26, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even wh

  • CVE-2026-44432HigMay 13, 2026
    affected < 1.5.0.4-r0fixed 1.5.0.4-r0

    urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w

  • CVE-2026-44431MedMay 13, 2026
    affected < 1.5.0.4-r0fixed 1.5.0.4-r0

    urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

  • CVE-2026-42557CriMay 13, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker li

  • CVE-2026-42266HigMay 13, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced

  • CVE-2026-44244HigMay 7, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines

  • CVE-2026-44243HigMay 7, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository

  • CVE-2026-42284HigMay 7, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (st

  • CVE-2026-42215HigMay 7, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass tha

  • CVE-2026-40171HigMay 6, 2026
    affected < 1.5.0.1-r1fixed 1.5.0.1-r1

    In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be ch

  • CVE-2026-33079HigMay 6, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles conta

  • CVE-2026-40934MedMay 5, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password

  • CVE-2026-40110HigMay 5, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string

  • CVE-2026-35397HigMay 5, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the r

  • CVE-2025-61669MedMay 5, 2026
    affected < 1.5.0.1-r2fixed 1.5.0.1-r2

    Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values su

Page 1 of 2