VYPR

apk package

chainguard/grafana-fips-12.0

pkg:apk/chainguard/grafana-fips-12.0

Vulnerabilities (39)

  • CVE-2026-27140HigApr 8, 2026
    affected < 12.0.10-r3fixed 12.0.10-r3

    SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

  • CVE-2026-33817Apr 6, 2026
    affected < 12.0.10-r2fixed 12.0.10-r2

    Rejected reason: CVE confirmed to be a false positive

  • CVE-2026-27880HigMar 27, 2026
    affected < 12.0.10-r2fixed 12.0.10-r2

    The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.

  • CVE-2026-27142MedMar 6, 2026
    affected < 12.0.10-r2fixed 12.0.10-r2

    Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap

  • CVE-2026-27139LowMar 6, 2026
    affected < 12.0.10-r2fixed 12.0.10-r2

    On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary

  • CVE-2026-27138MedMar 6, 2026
    affected < 12.0.10-r2fixed 12.0.10-r2

    Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

  • CVE-2026-27137HigMar 6, 2026
    affected < 12.0.10-r2fixed 12.0.10-r2

    When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

  • CVE-2026-25679HigMar 6, 2026
    affected < 12.0.10-r2fixed 12.0.10-r2

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2025-68121CriFeb 5, 2026
    affected < 12.0.10-r0fixed 12.0.10-r0

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

  • CVE-2025-61732Feb 5, 2026
    affected < 12.0.10-r0fixed 12.0.10-r0

    A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

  • CVE-2025-47914Nov 19, 2025
    affected < 0fixed 0

    SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

  • CVE-2025-58181Nov 19, 2025
    affected < 0fixed 0

    SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

  • CVE-2025-47907Aug 7, 2025
    affected < 12.0.3-r2fixed 12.0.3-r2

    Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex

  • CVE-2025-8556LowAug 6, 2025
    affected < 12.0.1-r2fixed 12.0.1-r2

    A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.

  • CVE-2025-48371May 22, 2025
    affected < 12.0.1-r1fixed 12.0.1-r1

    OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Us

  • CVE-2025-46331Apr 30, 2025
    affected < 12.0.0-r2fixed 12.0.0-r2

    OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject c

  • CVE-2025-30153HigMar 19, 2025
    affected < 0fixed 0

    kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system

  • CVE-2025-27144MedFeb 24, 2025
    affected < 0fixed 0

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par

  • CVE-2020-12459Apr 29, 2020
    affected < 0fixed 0

    In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.

Page 2 of 2