VYPR

apk package

chainguard/dbgate-fips

pkg:apk/chainguard/dbgate-fips

Vulnerabilities (9)

  • CVE-2026-44665MedMay 13, 2026
    affected < 7.1.10-r0fixed 7.1.10-r0

    fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.

  • CVE-2026-44664MedMay 13, 2026
    affected < 7.1.10-r0fixed 7.1.10-r0

    fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out o

  • CVE-2026-41907HigApr 24, 2026
    affected < 7.1.10-r0fixed 7.1.10-r0

    uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi

  • CVE-2026-33036Mar 20, 2026
    affected < 7.1.3-r0fixed 7.1.3-r0

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa

  • CVE-2026-27942Feb 26, 2026
    affected < 7.1.2-r0fixed 7.1.2-r0

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8

  • CVE-2026-25896Feb 20, 2026
    affected < 7.1.0-r0fixed 7.1.0-r0

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an att

  • CVE-2026-26278Feb 19, 2026
    affected < 7.1.0-r0fixed 7.1.0-r0

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML inpu

  • CVE-2026-25128Jan 30, 2026
    affected < 7.0.1-r0fixed 7.0.1-r0

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML

  • CVE-2025-65945Dec 4, 2025
    affected < 6.8.0-r0fixed 6.8.0-r0

    auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us