VYPR

apk package

chainguard/foxx-cli

pkg:apk/chainguard/foxx-cli

Vulnerabilities (9)

  • CVE-2026-53550Jun 15, 2026
    affected < 2.1.1-r8fixed 2.1.1-r8

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-4800HigMar 31, 2026
    affected < 2.1.1-r6fixed 2.1.1-r6

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a

  • CVE-2026-2950MedMar 31, 2026
    affected < 2.1.1-r6fixed 2.1.1-r6

    Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca

  • CVE-2026-33750MedMar 27, 2026
    affected < 2.1.1-r6fixed 2.1.1-r6

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process

  • CVE-2026-31988MedMar 11, 2026
    affected < 2.1.1-r4fixed 2.1.1-r4

    yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allo

  • CVE-2026-26996Feb 20, 2026
    affected < 2.1.1-r4fixed 2.1.1-r4

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

  • CVE-2025-13465MedJan 21, 2026
    affected < 2.1.1-r3fixed 2.1.1-r3

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin

  • CVE-2025-57352MedSep 24, 2025
    affected < 2.1.1-r3fixed 2.1.1-r3

    A vulnerability exists in the 'min-document' package prior to version 2.19.0, stemming from improper handling of namespace operations in the removeAttributeNS method. By processing malicious input involving the __proto__ property, an attacker can manipulate the prototype chain of

  • CVE-2025-5889LowJun 9, 2025
    affected < 2.1.1-r1fixed 2.1.1-r1

    A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l