VYPR

apk package

chainguard/keycloak-fips-26.4

pkg:apk/chainguard/keycloak-fips-26.4

Vulnerabilities (7)

  • CVE-2026-42577HigMay 13, 2026
    affected < 26.4.7-r14fixed 26.4.7-r14

    Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some

  • CVE-2025-67735Dec 16, 2025
    affected < 26.4.7-r13fixed 26.4.7-r13

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

  • CVE-2025-12390MedOct 28, 2025
    affected < 26.4.4-r0fixed 26.4.4-r0

    A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookie

  • CVE-2025-10939LowOct 28, 2025
    affected < 26.4.4-r0fixed 26.4.4-r0

    A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application pat

  • CVE-2025-11965Oct 22, 2025
    affected < 26.4.7-r12fixed 26.4.7-r12

    In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config').

  • CVE-2025-11966Oct 22, 2025
    affected < 26.4.7-r12fixed 26.4.7-r12

    In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories

  • CVE-2025-59250Oct 14, 2025
    affected < 0fixed 0

    Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.