VYPR

apk package

chainguard/keep-ui-fips

pkg:apk/chainguard/keep-ui-fips

Vulnerabilities (5)

  • CVE-2026-6322HigMay 5, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw

  • CVE-2026-6321HigMay 4, 2026
    affected < 0.51.0-r6fixed 0.51.0-r6

    fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize

  • CVE-2026-41305MedApr 24, 2026
    affected < 0.51.0-r6fixed 0.51.0-r6

    PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for em

  • CVE-2026-29057Mar 18, 2026
    affected < 0.51.0-r1fixed 0.51.0-r1

    Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could tri

  • CVE-2026-27980Mar 18, 2026
    affected < 0.51.0-r5fixed 0.51.0-r5

    Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker