VYPR

apk package

chainguard/frankenphp-8.4

pkg:apk/chainguard/frankenphp-8.4

Vulnerabilities (28)

  • CVE-2026-33814HigMay 7, 2026
    affected < 1.12.3-r0fixed 1.12.3-r0

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-39972HigApr 9, 2026
    affected < 1.12.2-r0fixed 1.12.2-r0

    Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior to 0.22.0, a cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cache, potentially causing private updates to

  • CVE-2026-39883HigApr 8, 2026
    affected < 1.12.2-r0fixed 1.12.2-r0

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-39882MedApr 8, 2026
    affected < 1.12.2-r0fixed 1.12.2-r0

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e

  • CVE-2026-33817Apr 6, 2026
    affected < 1.12.2-r0fixed 1.12.2-r0

    Rejected reason: CVE confirmed to be a false positive

  • CVE-2026-34986HigApr 6, 2026
    affected < 1.12.1-r5fixed 1.12.1-r5

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-33186CriMar 20, 2026
    affected < 1.12.1-r1fixed 1.12.1-r1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2026-30836CriMar 19, 2026
    affected < 1.12.1-r2fixed 1.12.1-r2

    Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.

Page 2 of 2