VYPR

apk package

chainguard/drone

pkg:apk/chainguard/drone

Vulnerabilities (31)

  • CVE-2026-39825MedMay 7, 2026
    affected < 0fixed 0

    ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa

  • CVE-2026-39823MedMay 7, 2026
    affected < 3.3.0-r0fixed 3.3.0-r0

    CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le

  • CVE-2026-39820HigMay 7, 2026
    affected < 3.3.0-r0fixed 3.3.0-r0

    Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

  • CVE-2026-39819MedMay 7, 2026
    affected < 3.3.0-r0fixed 3.3.0-r0

    The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

  • CVE-2026-39817MedMay 7, 2026
    affected < 3.3.0-r0fixed 3.3.0-r0

    The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

  • CVE-2026-33814HigMay 7, 2026
    affected < 3.3.0-r0fixed 3.3.0-r0

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-33811HigMay 7, 2026
    affected < 3.3.0-r0fixed 3.3.0-r0

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2025-69725MedFeb 19, 2026
    affected < 0fixed 0

    An Open Redirect vulnerability in the go-chi/chi >=5.2.2 RedirectSlashes function allows remote attackers to redirect victim users to malicious websites using the legitimate website domain.

  • CVE-2025-58058MedAug 28, 2025
    affected < 3.3.0-r6fixed 3.3.0-r6

    xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the

  • CVE-2020-8912Aug 11, 2020
    affected < 0fixed 0

    A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-

  • CVE-2020-8911Aug 11, 2020
    affected < 0fixed 0

    A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket a

Page 2 of 2