apk package
chainguard/grafana-11.6
pkg:apk/chainguard/grafana-11.6
Vulnerabilities (54)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-58181 | — | < 11.6.8-r1 | 11.6.8-r1 | Nov 19, 2025 | SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | ||
| CVE-2025-47907 | — | < 11.6.4-r2 | 11.6.4-r2 | Aug 7, 2025 | Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex | ||
| CVE-2025-8556 | Low | 3.7 | < 11.6.2-r2 | 11.6.2-r2 | Aug 6, 2025 | A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange. | |
| CVE-2025-48371 | — | < 11.6.2-r1 | 11.6.2-r1 | May 22, 2025 | OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Us | ||
| CVE-2025-46331 | — | < 11.6.8-r0 | 11.6.8-r0 | Apr 30, 2025 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject c | ||
| CVE-2025-22872 | Med | 6.5 | < 11.6.0-r2 | 11.6.0-r2 | Apr 16, 2025 | The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul | |
| CVE-2025-30153 | Hig | 7.5 | < 0 | 0 | Mar 19, 2025 | kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system | |
| CVE-2024-6485 | Med | 6.4 | < 11.6.7-r0 | 11.6.7-r0 | Jul 11, 2024 | A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript cod | |
| CVE-2022-31022 | — | < 11.6.1-r2 | 11.6.1-r2 | Jun 1, 2022 | Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (blev | ||
| CVE-2018-20677 | — | < 11.6.7-r0 | 11.6.7-r0 | Jan 9, 2019 | In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property. | ||
| CVE-2018-20676 | — | < 11.6.7-r0 | 11.6.7-r0 | Jan 9, 2019 | In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute. | ||
| CVE-2016-10735 | — | < 11.6.7-r0 | 11.6.7-r0 | Jan 9, 2019 | In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. | ||
| CVE-2018-14042 | — | < 11.6.7-r0 | 11.6.7-r0 | Jul 13, 2018 | In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. | ||
| CVE-2018-14040 | — | < 11.6.7-r0 | 11.6.7-r0 | Jul 13, 2018 | In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. |
- CVE-2025-58181Nov 19, 2025affected < 11.6.8-r1fixed 11.6.8-r1
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
- CVE-2025-47907Aug 7, 2025affected < 11.6.4-r2fixed 11.6.4-r2
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
- affected < 11.6.2-r2fixed 11.6.2-r2
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
- CVE-2025-48371May 22, 2025affected < 11.6.2-r1fixed 11.6.2-r1
OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Us
- CVE-2025-46331Apr 30, 2025affected < 11.6.8-r0fixed 11.6.8-r0
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject c
- affected < 11.6.0-r2fixed 11.6.0-r2
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
- affected < 0fixed 0
kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system
- affected < 11.6.7-r0fixed 11.6.7-r0
A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript cod
- CVE-2022-31022Jun 1, 2022affected < 11.6.1-r2fixed 11.6.1-r2
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (blev
- CVE-2018-20677Jan 9, 2019affected < 11.6.7-r0fixed 11.6.7-r0
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
- CVE-2018-20676Jan 9, 2019affected < 11.6.7-r0fixed 11.6.7-r0
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
- CVE-2016-10735Jan 9, 2019affected < 11.6.7-r0fixed 11.6.7-r0
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
- CVE-2018-14042Jul 13, 2018affected < 11.6.7-r0fixed 11.6.7-r0
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
- CVE-2018-14040Jul 13, 2018affected < 11.6.7-r0fixed 11.6.7-r0
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Page 3 of 3