VYPR

apk package

chainguard/kibana-9.0

pkg:apk/chainguard/kibana-9.0

Vulnerabilities (111)

  • CVE-2026-27699Feb 25, 2026
    affected < 9.0.8-r11fixed 9.0.8-r11

    The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause fil

  • CVE-2026-2739MedFeb 20, 2026
    affected < 9.0.8-r12fixed 9.0.8-r12

    This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

  • CVE-2026-26996Feb 20, 2026
    affected < 9.0.8-r13fixed 9.0.8-r13

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

  • CVE-2026-26960Feb 20, 2026
    affected < 9.0.8-r10fixed 9.0.8-r10

    node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as t

  • CVE-2026-26318Feb 19, 2026
    affected < 9.0.8-r10fixed 9.0.8-r10

    systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.

  • CVE-2026-26280Feb 19, 2026
    affected < 9.0.8-r10fixed 9.0.8-r10

    systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry co

  • CVE-2026-26278Feb 19, 2026
    affected < 9.0.8-r10fixed 9.0.8-r10

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML inpu

  • CVE-2026-2327Feb 12, 2026
    affected < 9.0.8-r10fixed 9.0.8-r10

    Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character

  • CVE-2026-25639HigFeb 9, 2026
    affected < 9.0.8-r10fixed 9.0.8-r10

    Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providi

  • CVE-2026-25528MedFeb 9, 2026
    affected < 9.0.8-r10fixed 9.0.8-r10

    LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, ca

  • CVE-2026-25128Jan 30, 2026
    affected < 9.0.8-r9fixed 9.0.8-r9

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML

  • CVE-2026-24842Jan 28, 2026
    affected < 9.0.8-r9fixed 9.0.8-r9

    node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that b

  • CVE-2025-13465MedJan 21, 2026
    affected < 9.0.8-r8fixed 9.0.8-r8

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin

  • CVE-2026-23950Jan 20, 2026
    affected < 9.0.8-r8fixed 9.0.8-r8

    node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS AP

  • CVE-2026-23745Jan 16, 2026
    affected < 9.0.8-r8fixed 9.0.8-r8

    node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading t

  • CVE-2026-22036Jan 14, 2026
    affected < 9.0.8-r7fixed 9.0.8-r7

    Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocatio

  • CVE-2025-68665Dec 23, 2025
    affected < 9.0.8-r5fixed 9.0.8-r5

    LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ify

  • CVE-2025-14874Dec 18, 2025
    affected < 9.0.8-r3fixed 9.0.8-r3

    A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.

  • CVE-2025-68154Dec 16, 2025
    affected < 0fixed 0

    systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell com

  • CVE-2025-65945Dec 4, 2025
    affected < 9.0.8-r4fixed 9.0.8-r4

    auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us

Page 5 of 6