apk package

chainguard/kibana-7

pkg:apk/chainguard/kibana-7

Vulnerabilities (30)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-41907	Hig	7.5	< 7.17.29-r8	7.17.29-r8	Apr 24, 2026	uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi
CVE-2026-39865	Med	5.9	< 7.17.29-r8	7.17.29-r8	Apr 8, 2026	Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The
CVE-2026-33896	Hig	7.4	< 7.17.29-r8	7.17.29-r8	Mar 27, 2026	Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints`
CVE-2026-33895	Hig	7.5	< 7.17.29-r8	7.17.29-r8	Mar 27, 2026	Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signa
CVE-2026-33894	Hig	7.5	< 7.17.29-r8	7.17.29-r8	Mar 27, 2026	Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garba
CVE-2026-33891	Hig	7.5	< 7.17.29-r8	7.17.29-r8	Mar 27, 2026	Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from
CVE-2026-33750	Med	6.5	< 7.17.29-r8	7.17.29-r8	Mar 27, 2026	The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process
CVE-2026-31988	Med	5.3	< 7.17.29-r7	7.17.29-r7	Mar 11, 2026	yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allo
CVE-2025-66030		—	< 7.17.29-r7	7.17.29-r7	Nov 26, 2025	Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs.
CVE-2025-66031		—	< 7.17.29-r7	7.17.29-r7	Nov 26, 2025	Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re
CVE-2025-12816		—	< 7.17.29-r7	7.17.29-r7	Nov 25, 2025	An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s
CVE-2025-13033	Hig	7.5	< 7.17.29-r5	7.17.29-r5	Nov 14, 2025	A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m
CVE-2025-64718		—	< 7.17.29-r6	7.17.29-r6	Nov 13, 2025	js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T
CVE-2025-11362		—	< 7.17.29-r4	7.17.29-r4	Oct 7, 2025	Versions of the package pdfmake before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that trigger
CVE-2025-57319	Hig	7.5	< 0	0	Sep 24, 2025	fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denia
CVE-2025-7783	Cri	—	< 7.17.29-r2	7.17.29-r2	Jul 18, 2025	Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
CVE-2025-5889	Low	3.1	< 7.17.28-r45	7.17.28-r45	Jun 9, 2025	A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l
CVE-2025-48387	Hig	—	< 7.17.28-r44	7.17.28-r44	Jun 2, 2025	tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore o
CVE-2024-12905	Hig	7.5	< 7.17.28-r41	7.17.28-r41	Mar 27, 2025	An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrit
CVE-2025-27789	Med	6.2	< 7.17.28-r2	7.17.28-r2	Mar 11, 2025	Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specif

CVE-2026-41907HigApr 24, 2026
affected < 7.17.29-r8fixed 7.17.29-r8
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi
CVE-2026-39865MedApr 8, 2026
affected < 7.17.29-r8fixed 7.17.29-r8
Axios is a promise based HTTP client for the browser and Node.js. Starting in version 1.13.0 and prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The
CVE-2026-33896HigMar 27, 2026
affected < 7.17.29-r8fixed 7.17.29-r8
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints`
CVE-2026-33895HigMar 27, 2026
affected < 7.17.29-r8fixed 7.17.29-r8
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signa
CVE-2026-33894HigMar 27, 2026
affected < 7.17.29-r8fixed 7.17.29-r8
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garba
CVE-2026-33891HigMar 27, 2026
affected < 7.17.29-r8fixed 7.17.29-r8
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from
CVE-2026-33750MedMar 27, 2026
affected < 7.17.29-r8fixed 7.17.29-r8
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process
CVE-2026-31988MedMar 11, 2026
affected < 7.17.29-r7fixed 7.17.29-r7
yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allo
CVE-2025-66030Nov 26, 2025
affected < 7.17.29-r7fixed 7.17.29-r7
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs.
CVE-2025-66031Nov 26, 2025
affected < 7.17.29-r7fixed 7.17.29-r7
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re
CVE-2025-12816Nov 25, 2025
affected < 7.17.29-r7fixed 7.17.29-r7
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s
CVE-2025-13033HigNov 14, 2025
affected < 7.17.29-r5fixed 7.17.29-r5
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m
CVE-2025-64718Nov 13, 2025
affected < 7.17.29-r6fixed 7.17.29-r6
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T
CVE-2025-11362Oct 7, 2025
affected < 7.17.29-r4fixed 7.17.29-r4
Versions of the package pdfmake before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that trigger
CVE-2025-57319HigSep 24, 2025
affected < 0fixed 0
fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denia
CVE-2025-7783CriJul 18, 2025
affected < 7.17.29-r2fixed 7.17.29-r2
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
CVE-2025-5889LowJun 9, 2025
affected < 7.17.28-r45fixed 7.17.28-r45
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l
CVE-2025-48387HigJun 2, 2025
affected < 7.17.28-r44fixed 7.17.28-r44
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore o
CVE-2024-12905HigMar 27, 2025
affected < 7.17.28-r41fixed 7.17.28-r41
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrit
CVE-2025-27789MedMar 11, 2025
affected < 7.17.28-r2fixed 7.17.28-r2
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specif

Page 1 of 2