VYPR

apk package

chainguard/kibana-9.2

pkg:apk/chainguard/kibana-9.2

Vulnerabilities (112)

  • CVE-2026-33672MedMar 26, 2026
    affected < 9.2.7-r3fixed 9.2.7-r3

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions

  • CVE-2026-33671HigMar 26, 2026
    affected < 9.2.7-r3fixed 9.2.7-r3

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when c

  • CVE-2026-33532MedMar 26, 2026
    affected < 9.2.7-r3fixed 9.2.7-r3

    `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive funct

  • CVE-2026-4926HigMar 26, 2026
    affected < 9.2.7-r5fixed 9.2.7-r5

    Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. Work

  • CVE-2026-4923MedMar 26, 2026
    affected < 9.2.7-r5fixed 9.2.7-r5

    Impact: When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /*foo-*

  • CVE-2026-2229Mar 12, 2026
    affected < 9.2.7-r0fixed 9.2.7-r0

    ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d

  • CVE-2026-1528Mar 12, 2026
    affected < 9.2.7-r0fixed 9.2.7-r0

    ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version

  • CVE-2026-1527Mar 12, 2026
    affected < 9.2.7-r0fixed 9.2.7-r0

    ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Mem

  • CVE-2026-2581Mar 12, 2026
    affected < 9.2.7-r0fixed 9.2.7-r0

    This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handler

  • CVE-2026-1526Mar 12, 2026
    affected < 9.2.7-r0fixed 9.2.7-r0

    The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en

  • CVE-2026-1525Mar 12, 2026
    affected < 9.2.7-r0fixed 9.2.7-r0

    Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: *

  • CVE-2026-31988MedMar 11, 2026
    affected < 9.2.7-r0fixed 9.2.7-r0

    yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allo

  • CVE-2026-31802Mar 9, 2026
    affected < 9.2.6-r1fixed 9.2.6-r1

    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd dur

  • CVE-2026-30827Mar 7, 2026
    affected < 9.2.6-r1fixed 9.2.6-r1

    express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6()

  • CVE-2026-0540Mar 3, 2026
    affected < 9.2.6-r2fixed 9.2.6-r2

    DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F

  • CVE-2026-3449LowMar 3, 2026
    affected < 9.2.8-r4fixed 9.2.8-r4

    Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang

  • CVE-2026-27942Feb 26, 2026
    affected < 9.2.6-r2fixed 9.2.6-r2

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8

  • CVE-2026-27904Feb 26, 2026
    affected < 9.2.5-r5fixed 9.2.5-r5

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh

  • CVE-2026-27903Feb 26, 2026
    affected < 9.2.5-r5fixed 9.2.5-r5

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a

  • CVE-2026-27699Feb 25, 2026
    affected < 9.2.5-r5fixed 9.2.5-r5

    The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause fil

Page 4 of 6