VYPR

apk package

chainguard/homepage

pkg:apk/chainguard/homepage

Vulnerabilities (17)

  • CVE-2026-54269Jun 15, 2026
    affected < 1.13.2-r4fixed 1.13.2-r4

    ## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection desc

  • CVE-2026-53655Jun 15, 2026
    affected < 1.13.2-r4fixed 1.13.2-r4

    ### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header (`

  • CVE-2026-53550Jun 15, 2026
    affected < 1.13.2-r4fixed 1.13.2-r4

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-48779higJun 15, 2026
    affected < 1.13.2-r2fixed 1.13.2-r2

    ### Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, lea

  • CVE-2026-44705HigJun 11, 2026
    affected < 1.13.2-r1fixed 1.13.2-r1

    tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal

  • CVE-2026-44724HigMay 27, 2026
    affected < 1.13.2-r0fixed 1.13.2-r0

    systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable v

  • CVE-2026-45736MedMay 15, 2026
    affected < 1.13.2-r0fixed 1.13.2-r0

    ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

  • CVE-2026-44294MedMay 13, 2026
    affected < 1.13.1-r3fixed 1.13.1-r3

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded int

  • CVE-2026-44293HigMay 13, 2026
    affected < 1.13.1-r3fixed 1.13.1-r3

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a no

  • CVE-2026-44292MedMay 13, 2026
    affected < 1.13.1-r3fixed 1.13.1-r3

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message

  • CVE-2026-44291HigMay 13, 2026
    affected < 1.13.1-r3fixed 1.13.1-r3

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted,

  • CVE-2026-44290HigMay 13, 2026
    affected < 1.13.1-r3fixed 1.13.1-r3

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause optio

  • CVE-2026-44289HigMay 13, 2026
    affected < 1.13.1-r3fixed 1.13.1-r3

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.

  • CVE-2026-44288MedMay 13, 2026
    affected < 1.13.1-r3fixed 1.13.1-r3

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can

  • CVE-2026-41907HigApr 24, 2026
    affected < 1.13.2-r0fixed 1.13.2-r0

    uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi

  • CVE-2026-41305MedApr 24, 2026
    affected < 1.13.2-r1fixed 1.13.2-r1

    PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for em

  • CVE-2025-54798Aug 7, 2025
    affected < 1.13.2-r1fixed 1.13.2-r1

    tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.