VYPR

apk package

chainguard/elastic-agent-8.19

pkg:apk/chainguard/elastic-agent-8.19

Vulnerabilities (36)

  • CVE-2026-48496medJun 23, 2026
    affected < 8.19.17-r1fixed 8.19.17-r1

    ### Summary An unprivileged process can easily trigger the `processPIDEvents` goroutine to be blocked indefinitely, preventing the goroutine from analyzing any new ELF file. The goroutine stays blocked in the `openat2` syscall forever and the profiler can no longer work properly

  • CVE-2026-42306HigJun 12, 2026
    affected < 8.19.17-r0fixed 8.19.17-r0

    Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount targe

  • CVE-2026-41568MedJun 12, 2026
    affected < 8.19.17-r0fixed 8.19.17-r0

    Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or direc

  • CVE-2026-41567HigJun 5, 2026
    affected < 8.19.17-r0fixed 8.19.17-r0

    Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries

  • CVE-2026-42507MedJun 2, 2026
    affected < 8.19.16-r1fixed 8.19.16-r1

    When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

  • CVE-2026-42504HigJun 2, 2026
    affected < 8.19.16-r1fixed 8.19.16-r1

    Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

  • CVE-2026-27145MedJun 2, 2026
    affected < 8.19.16-r1fixed 8.19.16-r1

    (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic

  • CVE-2026-44903MedMay 26, 2026
    affected < 8.19.15-r4fixed 8.19.15-r4

    Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values

  • CVE-2026-33814HigMay 7, 2026
    affected < 8.19.15-r3fixed 8.19.15-r3

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-41602HigApr 28, 2026
    affected < 8.19.15-r5fixed 8.19.15-r5

    Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

  • CVE-2026-32952MedApr 24, 2026
    affected < 8.19.14-r3fixed 8.19.14-r3

    go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc

  • CVE-2026-40179MedApr 15, 2026
    affected < 8.19.14-r5fixed 8.19.14-r5

    Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into inne

  • CVE-2026-39883HigApr 8, 2026
    affected < 8.19.14-r2fixed 8.19.14-r2

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-39882MedApr 8, 2026
    affected < 8.19.14-r4fixed 8.19.14-r4

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e

  • CVE-2026-33817Apr 6, 2026
    affected < 8.19.14-r0fixed 8.19.14-r0

    Rejected reason: CVE confirmed to be a false positive

  • CVE-2026-34986HigApr 6, 2026
    affected < 8.19.13-r3fixed 8.19.13-r3

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-34040HigMar 31, 2026
    affected < 8.19.14-r2fixed 8.19.14-r2

    Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.

  • CVE-2026-33997MedMar 31, 2026
    affected < 8.19.14-r2fixed 8.19.14-r2

    Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorre

  • CVE-2026-32287HigMar 26, 2026
    affected < 8.19.13-r2fixed 8.19.13-r2

    Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

  • CVE-2026-32285HigMar 26, 2026
    affected < 8.19.14-r1fixed 8.19.14-r1

    The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

Page 1 of 2