VYPR

apk package

chainguard/ingress-nginx-controller-1.15

pkg:apk/chainguard/ingress-nginx-controller-1.15

Vulnerabilities (23)

  • CVE-2026-48142Jun 17, 2026
    affected < 1.15.8-r0fixed 1.15.8-r0

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset directive (for example, charset koi8-r;) configured, remote, unauthenticated attac

  • CVE-2026-42055Jun 17, 2026
    affected < 1.15.8-r0fixed 1.15.8-r0

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set

  • CVE-2026-41178MedJun 4, 2026
    affected < 1.15.8-r3fixed 1.15.8-r3

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss

  • CVE-2026-42507MedJun 2, 2026
    affected < 1.15.6-r1fixed 1.15.6-r1

    When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

  • CVE-2026-42504HigJun 2, 2026
    affected < 1.15.6-r1fixed 1.15.6-r1

    Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

  • CVE-2026-27145MedJun 2, 2026
    affected < 1.15.6-r1fixed 1.15.6-r1

    (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic

  • CVE-2026-39824LowMay 22, 2026
    affected < 0fixed 0

    NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.

  • CVE-2026-42945HigMay 13, 2026
    affected < 1.15.5-r1fixed 1.15.5-r1

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2)

  • CVE-2026-33814HigMay 7, 2026
    affected < 1.15.5-r1fixed 1.15.5-r1

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-39883HigApr 8, 2026
    affected < 1.15.8-r1fixed 1.15.8-r1

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-39882MedApr 8, 2026
    affected < 0fixed 0

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e

  • CVE-2026-33810HigApr 8, 2026
    affected < 1.15.6-r0fixed 1.15.6-r0

    When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in th

  • CVE-2026-32289MedApr 8, 2026
    affected < 0fixed 0

    Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect es

  • CVE-2026-32288MedApr 8, 2026
    affected < 0fixed 0

    tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

  • CVE-2026-32283HigApr 8, 2026
    affected < 1.15.6-r0fixed 1.15.6-r0

    If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

  • CVE-2026-32282MedApr 8, 2026
    affected < 0fixed 0

    On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R

  • CVE-2026-32281HigApr 8, 2026
    affected < 1.15.6-r0fixed 1.15.6-r0

    Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C

  • CVE-2026-32280HigApr 8, 2026
    affected < 1.15.6-r0fixed 1.15.6-r0

    During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls

  • CVE-2026-27140HigApr 8, 2026
    affected < 1.15.6-r0fixed 1.15.6-r0

    SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

  • CVE-2026-24514MedFeb 3, 2026
    affected < 0fixed 0

    A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingr

Page 1 of 2