VYPR

apk package

chainguard/jaeger-2-fips-jaeger

pkg:apk/chainguard/jaeger-2-fips-jaeger

Vulnerabilities (52)

  • CVE-2026-42499HigMay 7, 2026
    affected < 0fixed 0

    Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

  • CVE-2026-39836HigMay 7, 2026
    affected < 2.17.0-r6fixed 2.17.0-r6

    The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

  • CVE-2026-39826MedMay 7, 2026
    affected < 2.17.0-r6fixed 2.17.0-r6

    If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.

  • CVE-2026-39825MedMay 7, 2026
    affected < 0fixed 0

    ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa

  • CVE-2026-39823MedMay 7, 2026
    affected < 2.17.0-r6fixed 2.17.0-r6

    CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le

  • CVE-2026-39820HigMay 7, 2026
    affected < 0fixed 0

    Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

  • CVE-2026-39819MedMay 7, 2026
    affected < 2.17.0-r6fixed 2.17.0-r6

    The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

  • CVE-2026-39817MedMay 7, 2026
    affected < 2.17.0-r6fixed 2.17.0-r6

    The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

  • CVE-2026-33814HigMay 7, 2026
    affected < 2.17.0-r6fixed 2.17.0-r6

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-33811HigMay 7, 2026
    affected < 2.17.0-r6fixed 2.17.0-r6

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2026-41602HigApr 28, 2026
    affected < 2.17.0-r5fixed 2.17.0-r5

    Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

  • CVE-2026-40179MedApr 15, 2026
    affected < 2.17.0-r3fixed 2.17.0-r3

    Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into inne

  • CVE-2026-39883HigApr 8, 2026
    affected < 2.17.0-r1fixed 2.17.0-r1

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-39882MedApr 8, 2026
    affected < 2.18.0-r1fixed 2.18.0-r1

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e

  • CVE-2026-33252HigMar 24, 2026
    affected < 2.16.0-r2fixed 2.16.0-r2

    The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments with

  • CVE-2026-33186CriMar 20, 2026
    affected < 2.16.0-r1fixed 2.16.0-r1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2026-27142MedMar 6, 2026
    affected < 2.16.0-r0fixed 2.16.0-r0

    Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap

  • CVE-2026-27139LowMar 6, 2026
    affected < 2.16.0-r0fixed 2.16.0-r0

    On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary

  • CVE-2026-25679HigMar 6, 2026
    affected < 2.16.0-r0fixed 2.16.0-r0

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2026-27896HigFeb 26, 2026
    affected < 2.15.1-r1fixed 2.15.1-r1

    The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method",