VYPR

apk package

chainguard/kibana-8.19-bitnami

pkg:apk/chainguard/kibana-8.19-bitnami

Vulnerabilities (131)

  • CVE-2025-68665Dec 23, 2025
    affected < 8.19.9-r2fixed 8.19.9-r2

    LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ify

  • CVE-2025-68422Dec 18, 2025
    affected < 8.19.11-r0fixed 8.19.11-r0

    Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully re

  • CVE-2025-68386Dec 18, 2025
    affected < 8.19.11-r0fixed 8.19.11-r0

    Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a

  • CVE-2025-68389Dec 18, 2025
    affected < 8.19.11-r0fixed 8.19.11-r0

    Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.

  • CVE-2025-68387Dec 18, 2025
    affected < 8.19.11-r0fixed 8.19.11-r0

    Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function han

  • CVE-2025-68385Dec 18, 2025
    affected < 8.19.11-r0fixed 8.19.11-r0

    Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a pre

  • CVE-2025-14874Dec 18, 2025
    affected < 8.19.8-r0fixed 8.19.8-r0

    A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.

  • CVE-2025-68154Dec 16, 2025
    affected < 0fixed 0

    systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell com

  • CVE-2025-37732Dec 15, 2025
    affected < 8.19.11-r0fixed 8.19.11-r0

    Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing

  • CVE-2025-65945Dec 4, 2025
    affected < 8.19.8-r1fixed 8.19.8-r1

    auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us

  • CVE-2025-66030Nov 26, 2025
    affected < 8.19.7-r2fixed 8.19.7-r2

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs.

  • CVE-2025-66031Nov 26, 2025
    affected < 8.19.7-r2fixed 8.19.7-r2

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re

  • CVE-2025-12816Nov 25, 2025
    affected < 8.19.7-r2fixed 8.19.7-r2

    An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s

  • CVE-2025-64756Nov 17, 2025
    affected < 0fixed 0

    Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names.

  • CVE-2025-13033HigNov 14, 2025
    affected < 8.19.5-r1fixed 8.19.5-r1

    A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m

  • CVE-2025-13204Nov 14, 2025
    affected < 8.19.15-r0fixed 8.19.15-r0

    npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.

  • CVE-2025-64718Nov 13, 2025
    affected < 8.19.7-r1fixed 8.19.7-r1

    js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T

  • CVE-2025-37734Nov 12, 2025
    affected < 8.19.11-r0fixed 8.19.11-r0

    Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.

  • CVE-2025-48985Nov 7, 2025
    affected < 8.19.9-r0fixed 8.19.9-r0

    A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-48

  • CVE-2025-12735Nov 5, 2025
    affected < 8.19.15-r0fixed 8.19.15-r0

    The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object

Page 6 of 7