VYPR

apk package

chainguard/kibana-9.2-iamguarded

pkg:apk/chainguard/kibana-9.2-iamguarded

Vulnerabilities (121)

  • CVE-2026-11525lowJun 17, 2026
    affected < 9.2.8-r9fixed 9.2.8-r9

    undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

  • CVE-2026-6733lowJun 17, 2026
    affected < 9.2.8-r9fixed 9.2.8-r9

    undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.

  • CVE-2026-9678modJun 17, 2026
    affected < 9.2.8-r9fixed 9.2.8-r9

    undici: Undici: Information disclosure due to improper cache-control header parsing

  • CVE-2026-9679modJun 17, 2026
    affected < 9.2.8-r9fixed 9.2.8-r9

    undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

  • CVE-2026-9697impJun 17, 2026
    affected < 9.2.8-r9fixed 9.2.8-r9

    undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy

  • CVE-2026-6734impJun 17, 2026
    affected < 9.2.8-r9fixed 9.2.8-r9

    undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing

  • CVE-2026-12151impJun 17, 2026
    affected < 9.2.8-r9fixed 9.2.8-r9

    undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

  • CVE-2026-54288Jun 16, 2026
    affected < 9.2.8-r8fixed 9.2.8-r8

    ### Summary The Body Limit Middleware trusts the request's `Content-Length` header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the

  • CVE-2026-54289Jun 16, 2026
    affected < 9.2.8-r8fixed 9.2.8-r8

    ### Summary On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with `Headers.set` instead of `Headers.append`, so every value overwrites the previous one and only the last reaches the ap

  • CVE-2026-54290higJun 16, 2026
    affected < 9.2.8-r8fixed 9.2.8-r8

    ### Summary With `credentials: true` and no explicit `origin` (the default wildcard), the CORS Middleware reflects the request's `Origin` and sends `Access-Control-Allow-Credentials: true`. Any site can then make credentialed cross-origin requests and read the responses, exposin

  • CVE-2026-54286Jun 16, 2026
    affected < 9.2.8-r8fixed 9.2.8-r8

    ### Summary On Windows hosts, an encoded backslash (`%5C`) in the request path decodes to `\`, which the Windows path resolver treats as a separator. `serve-static` then resolves a single URL segment such as `admin\secret.txt` into a nested file under the root and serves it, let

  • CVE-2026-54287Jun 16, 2026
    affected < 9.2.8-r8fixed 9.2.8-r8

    ### Summary On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple `Set-Cookie` headers into one comma-separated value. Because commas also appear inside cookie attributes (for example `Expires` dates), clients cannot split the value back int

  • CVE-2026-54269Jun 15, 2026
    affected < 9.2.8-r8fixed 9.2.8-r8

    ## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection desc

  • CVE-2026-12143HigJun 12, 2026
    affected < 9.2.8-r11fixed 9.2.8-r11

    form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee

  • CVE-2026-44494HigJun 11, 2026
    affected < 9.2.8-r4fixed 9.2.8-r4

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-

  • CVE-2026-44492HigJun 11, 2026
    affected < 9.2.8-r4fixed 9.2.8-r4

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:

  • CVE-2026-44490MedJun 11, 2026
    affected < 9.2.8-r4fixed 9.2.8-r4

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios sil

  • CVE-2026-44489LowJun 11, 2026
    affected < 9.2.8-r4fixed 9.2.8-r4

    Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209

  • CVE-2026-48049Jun 11, 2026
    affected < 9.2.8-r10fixed 9.2.8-r10

    ### Impact `@hapi/inert` serves static files from a directory configured with `path` (in the `directory` / `file` handlers) or `relativeTo` (for `h.file()`), with confinement enforced by the `confine` option (default `true`). Before the patch, the confinement check compared the r

  • CVE-2026-48068higJun 11, 2026
    affected < 9.2.8-r8fixed 9.2.8-r8

    ### Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4

Page 1 of 7