VYPR

apk package

chainguard/dependency-track-apiserver

pkg:apk/chainguard/dependency-track-apiserver

Vulnerabilities (6)

  • CVE-2026-42198HigApr 29, 2026
    affected < 4.14.1-r2fixed 4.14.1-r2

    pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very larg

  • CVE-2026-40542HigApr 22, 2026
    affected < 4.14.1-r1fixed 4.14.1-r1

    Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.

  • CVE-2025-67030HigMar 25, 2026
    affected < 4.14.0-r1fixed 4.14.0-r1

    Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code

  • CVE-2026-1605Mar 5, 2026
    affected < 4.14.0-r0fixed 4.14.0-r0

    In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated

  • CVE-2025-11143Mar 5, 2026
    affected < 4.14.0-r0fixed 4.14.0-r0

    The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the UR

  • CVE-2026-1225LowJan 22, 2026
    affected < 4.14.0-r0fixed 4.14.0-r0

    ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instanti