VYPR

apk package

chainguard/kibana-9.1-iamguarded

pkg:apk/chainguard/kibana-9.1-iamguarded

Vulnerabilities (148)

  • CVE-2026-31802Mar 9, 2026
    affected < 9.1.10-r7fixed 9.1.10-r7

    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd dur

  • CVE-2026-29786Mar 7, 2026
    affected < 9.1.10-r7fixed 9.1.10-r7

    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar

  • CVE-2026-30827Mar 7, 2026
    affected < 9.1.10-r7fixed 9.1.10-r7

    express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6()

  • CVE-2026-29087HigMar 6, 2026
    affected < 9.1.10-r7fixed 9.1.10-r7

    @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resourc

  • CVE-2026-29085Mar 4, 2026
    affected < 9.1.10-r7fixed 9.1.10-r7

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters. Because the SSE proto

  • CVE-2026-29045Mar 4, 2026
    affected < 9.1.10-r7fixed 9.1.10-r7

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to

  • CVE-2026-29086Mar 4, 2026
    affected < 9.1.10-r7fixed 9.1.10-r7

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cooki

  • CVE-2026-0540Mar 3, 2026
    affected < 9.1.10-r7fixed 9.1.10-r7

    DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F

  • CVE-2026-27942Feb 26, 2026
    affected < 9.1.10-r6fixed 9.1.10-r6

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8

  • CVE-2026-27904Feb 26, 2026
    affected < 9.1.10-r6fixed 9.1.10-r6

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh

  • CVE-2026-27903Feb 26, 2026
    affected < 9.1.10-r6fixed 9.1.10-r6

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a

  • CVE-2026-27700Feb 25, 2026
    affected < 9.1.10-r6fixed 9.1.10-r6

    Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value

  • CVE-2026-27699Feb 25, 2026
    affected < 9.1.10-r6fixed 9.1.10-r6

    The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause fil

  • CVE-2026-2739MedFeb 20, 2026
    affected < 9.1.10-r6fixed 9.1.10-r6

    This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

  • CVE-2026-26996Feb 20, 2026
    affected < 9.1.10-r6fixed 9.1.10-r6

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

  • CVE-2026-26960Feb 20, 2026
    affected < 9.1.10-r5fixed 9.1.10-r5

    node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as t

  • CVE-2026-26318Feb 19, 2026
    affected < 9.1.10-r5fixed 9.1.10-r5

    systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.

  • CVE-2026-26280Feb 19, 2026
    affected < 9.1.10-r5fixed 9.1.10-r5

    systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry co

  • CVE-2026-26278Feb 19, 2026
    affected < 9.1.10-r5fixed 9.1.10-r5

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML inpu

  • CVE-2026-2327Feb 12, 2026
    affected < 9.1.10-r5fixed 9.1.10-r5

    Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character

Page 6 of 8