apk package

chainguard/kibana-8.19

pkg:apk/chainguard/kibana-8.19

Vulnerabilities (102)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-44665	Med	6.1	< 8.19.15-r0	8.19.15-r0	May 13, 2026	fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.
CVE-2026-44294	Med	5.3	< 8.19.15-r0	8.19.15-r0	May 13, 2026	protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded int
CVE-2026-44293	Hig	8.8	< 8.19.15-r0	8.19.15-r0	May 13, 2026	protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a no
CVE-2026-44292	Med	5.3	< 8.19.15-r0	8.19.15-r0	May 13, 2026	protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message
CVE-2026-44291	Hig	8.1	< 8.19.15-r0	8.19.15-r0	May 13, 2026	protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted,
CVE-2026-44290	Hig	7.5	< 8.19.15-r0	8.19.15-r0	May 13, 2026	protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause optio
CVE-2026-44289	Hig	7.5	< 8.19.15-r0	8.19.15-r0	May 13, 2026	protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.
CVE-2026-44288	Med	5.3	< 8.19.15-r0	8.19.15-r0	May 13, 2026	protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can
CVE-2026-45134	hig	—	< 8.19.15-r0	8.19.15-r0	May 13, 2026	## Description The LangSmith SDK's prompt pull methods (`pull_prompt` / `pull_prompt_commit` in Python, `pullPrompt` / `pullPromptCommit` in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model c
CVE-2026-44240	Hig	7.5	< 8.19.15-r0	8.19.15-r0	May 12, 2026	basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner p
CVE-2026-42338	Med	6.1	< 8.19.15-r0	8.19.15-r0	May 12, 2026	ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi
CVE-2026-44902	hig	—	< 8.19.15-r0	8.19.15-r0	May 11, 2026	## Summary A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default `0.0.0.0:9464`) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught `TypeError` that t
CVE-2026-42264	Hig	7.4	< 8.19.15-r0	8.19.15-r0	May 8, 2026	Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnPropert
CVE-2026-41650	Med	6.1	< 8.19.14-r5	8.19.14-r5	May 7, 2026	fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This
CVE-2026-6322	Hig	7.5	< 8.19.15-r0	8.19.15-r0	May 5, 2026	fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw
CVE-2026-6321	Hig	7.5	< 8.19.15-r0	8.19.15-r0	May 4, 2026	fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize
CVE-2026-41907	Hig	7.5	< 8.19.14-r5	8.19.14-r5	Apr 24, 2026	uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi
CVE-2026-42044	Med	6.5	< 8.19.15-r0	8.19.15-r0	Apr 24, 2026	Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, in
CVE-2026-42043	Hig	7.2	< 8.19.15-r0	8.19.15-r0	Apr 24, 2026	Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vu
CVE-2026-42042	Med	5.4	< 8.19.15-r0	8.19.15-r0	Apr 24, 2026	Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is s

CVE-2026-44665MedMay 13, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.
CVE-2026-44294MedMay 13, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded int
CVE-2026-44293HigMay 13, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a no
CVE-2026-44292MedMay 13, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message
CVE-2026-44291HigMay 13, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted,
CVE-2026-44290HigMay 13, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause optio
CVE-2026-44289HigMay 13, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.
CVE-2026-44288MedMay 13, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can
CVE-2026-45134higMay 13, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
## Description The LangSmith SDK's prompt pull methods (`pull_prompt` / `pull_prompt_commit` in Python, `pullPrompt` / `pullPromptCommit` in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model c
CVE-2026-44240HigMay 12, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner p
CVE-2026-42338MedMay 12, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi
CVE-2026-44902higMay 11, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
## Summary A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default `0.0.0.0:9464`) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught `TypeError` that t
CVE-2026-42264HigMay 8, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnPropert
CVE-2026-41650MedMay 7, 2026
affected < 8.19.14-r5fixed 8.19.14-r5
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This
CVE-2026-6322HigMay 5, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw
CVE-2026-6321HigMay 4, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize
CVE-2026-41907HigApr 24, 2026
affected < 8.19.14-r5fixed 8.19.14-r5
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi
CVE-2026-42044MedApr 24, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, in
CVE-2026-42043HigApr 24, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vu
CVE-2026-42042MedApr 24, 2026
affected < 8.19.15-r0fixed 8.19.15-r0
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is s

Page 1 of 6