apk package
chainguard/kibana-8.19-bitnami
pkg:apk/chainguard/kibana-8.19-bitnami
Vulnerabilities (131)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-55388 | hig | — | < 8.19.17-r1 | 8.19.17-r1 | Jun 18, 2026 | ## Summary `piscina`'s constructor and `run()` paths read the `filename` option via plain member access: ```js // dist/index.js line 92 (constructor) const filename = options.filename ? (0, common_1.maybeFileURLToPath)(options.filename) : null; this.options = { ...kDefaultO | |
| CVE-2026-11525 | low | 3.7 | < 8.19.16-r6 | 8.19.16-r6 | Jun 17, 2026 | undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header | |
| CVE-2026-6733 | low | 3.7 | < 8.19.16-r6 | 8.19.16-r6 | Jun 17, 2026 | undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. | |
| CVE-2026-9679 | mod | 5.9 | < 8.19.16-r6 | 8.19.16-r6 | Jun 17, 2026 | undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding | |
| CVE-2026-12151 | imp | 7.5 | < 8.19.16-r6 | 8.19.16-r6 | Jun 17, 2026 | undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames | |
| CVE-2026-48988 | — | < 8.19.17-r1 | 8.19.17-r1 | Jun 15, 2026 | ### Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule (enabled via the `typographer: true` option). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, lea | ||
| CVE-2026-54285 | — | < 8.19.17-r1 | 8.19.17-r1 | Jun 15, 2026 | ## Overview `W3CBaggagePropagator.extract()` in `@opentelemetry/core` does not enforce size limits when parsing inbound `baggage` HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (`in | ||
| CVE-2026-53550 | — | < 8.19.17-r1 | 8.19.17-r1 | Jun 15, 2026 | ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event | ||
| CVE-2026-48779 | hig | — | < 8.19.17-r1 | 8.19.17-r1 | Jun 15, 2026 | ### Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, lea | |
| CVE-2026-12143 | Hig | 7.5 | < 8.19.17-r1 | 8.19.17-r1 | Jun 12, 2026 | form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee | |
| CVE-2026-44494 | Hig | 8.7 | < 8.19.16-r2 | 8.19.16-r2 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man- | |
| CVE-2026-44492 | Hig | 8.6 | < 8.19.16-r2 | 8.19.16-r2 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00: | |
| CVE-2026-44490 | Med | 4.8 | < 8.19.16-r2 | 8.19.16-r2 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios sil | |
| CVE-2026-48049 | — | < 8.19.17-r0 | 8.19.17-r0 | Jun 11, 2026 | ### Impact `@hapi/inert` serves static files from a directory configured with `path` (in the `directory` / `file` handlers) or `relativeTo` (for `h.file()`), with confinement enforced by the `confine` option (default `true`). Before the patch, the confinement check compared the r | ||
| CVE-2026-48068 | hig | — | < 8.19.16-r5 | 8.19.16-r5 | Jun 11, 2026 | ### Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4 | |
| CVE-2026-48069 | hig | — | < 8.19.16-r5 | 8.19.16-r5 | Jun 11, 2026 | ### Impact An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 | |
| CVE-2026-46625 | Hig | 7.5 | < 8.19.16-r2 | 8.19.16-r2 | Jun 10, 2026 | JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an o | |
| CVE-2026-45149 | Med | 6.5 | < 8.19.16-r1 | 8.19.16-r1 | May 29, 2026 | The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 mill | |
| CVE-2026-45134 | Hig | 7.1 | < 8.19.15-r0 | 8.19.15-r0 | May 27, 2026 | LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize | |
| CVE-2026-44902 | Hig | 7.5 | < 8.19.15-r0 | 8.19.15-r0 | May 27, 2026 | opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a requ |
- affected < 8.19.17-r1fixed 8.19.17-r1
## Summary `piscina`'s constructor and `run()` paths read the `filename` option via plain member access: ```js // dist/index.js line 92 (constructor) const filename = options.filename ? (0, common_1.maybeFileURLToPath)(options.filename) : null; this.options = { ...kDefaultO
- affected < 8.19.16-r6fixed 8.19.16-r6
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
- affected < 8.19.16-r6fixed 8.19.16-r6
undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
- affected < 8.19.16-r6fixed 8.19.16-r6
undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
- affected < 8.19.16-r6fixed 8.19.16-r6
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
- CVE-2026-48988Jun 15, 2026affected < 8.19.17-r1fixed 8.19.17-r1
### Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule (enabled via the `typographer: true` option). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, lea
- CVE-2026-54285Jun 15, 2026affected < 8.19.17-r1fixed 8.19.17-r1
## Overview `W3CBaggagePropagator.extract()` in `@opentelemetry/core` does not enforce size limits when parsing inbound `baggage` HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound (`in
- CVE-2026-53550Jun 15, 2026affected < 8.19.17-r1fixed 8.19.17-r1
### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event
- affected < 8.19.17-r1fixed 8.19.17-r1
### Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, lea
- affected < 8.19.17-r1fixed 8.19.17-r1
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee
- affected < 8.19.16-r2fixed 8.19.16-r2
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-
- affected < 8.19.16-r2fixed 8.19.16-r2
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:
- affected < 8.19.16-r2fixed 8.19.16-r2
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios sil
- CVE-2026-48049Jun 11, 2026affected < 8.19.17-r0fixed 8.19.17-r0
### Impact `@hapi/inert` serves static files from a directory configured with `path` (in the `directory` / `file` handlers) or `relativeTo` (for `h.file()`), with confinement enforced by the `confine` option (default `true`). Before the patch, the confinement check compared the r
- affected < 8.19.16-r5fixed 8.19.16-r5
### Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4
- affected < 8.19.16-r5fixed 8.19.16-r5
### Impact An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5
- affected < 8.19.16-r2fixed 8.19.16-r2
JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an o
- affected < 8.19.16-r1fixed 8.19.16-r1
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 mill
- affected < 8.19.15-r0fixed 8.19.15-r0
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize
- affected < 8.19.15-r0fixed 8.19.15-r0
opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a requ
Page 1 of 7