VYPR

apk package

chainguard/kayenta-fips-2026.0

pkg:apk/chainguard/kayenta-fips-2026.0

Vulnerabilities (48)

  • CVE-2026-33871Mar 27, 2026
    affected < 2026.0.2-r6fixed 2026.0.2-r6

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o

  • CVE-2026-33870Mar 27, 2026
    affected < 2026.0.2-r6fixed 2026.0.2-r6

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an

  • CVE-2025-70952HigMar 25, 2026
    affected < 2026.0.2-r6fixed 2026.0.2-r6

    pf4j before 20c2f80 has a path traversal vulnerability in the extract() function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation.

  • CVE-2026-24734Feb 17, 2026
    affected < 2026.0.2-r4fixed 2026.0.2-r4

    Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revo

  • CVE-2026-24733Feb 17, 2026
    affected < 2026.0.2-r2fixed 2026.0.2-r2

    Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending

  • CVE-2025-66614Feb 17, 2026
    affected < 2026.0.2-r2fixed 2026.0.2-r2

    Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through

  • CVE-2024-22262HigApr 16, 2024
    affected < 2026.0.2-r7fixed 2026.0.2-r7

    Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF a

  • CVE-2024-22257HigMar 18, 2024
    affected < 2026.0.2-r7fixed 2026.0.2-r7

    In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#v

Page 3 of 3