VYPR

apk package

chainguard/kibana-9.3-iamguarded

pkg:apk/chainguard/kibana-9.3-iamguarded

Vulnerabilities (125)

  • CVE-2026-48068higJun 11, 2026
    affected < 9.3.5-r3fixed 9.3.5-r3

    ### Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4

  • CVE-2026-48069higJun 11, 2026
    affected < 9.3.5-r3fixed 9.3.5-r3

    ### Impact An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5

  • CVE-2026-48022Jun 11, 2026
    affected < 9.3.5-r3fixed 9.3.5-r3

    ### Impact Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes

  • CVE-2026-46625HigJun 10, 2026
    affected < 9.3.5-r2fixed 9.3.5-r2

    JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an o

  • CVE-2026-45149MedMay 29, 2026
    affected < 9.3.5-r1fixed 9.3.5-r1

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 mill

  • CVE-2026-44902HigMay 27, 2026
    affected < 9.3.5-r0fixed 9.3.5-r0

    opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a requ

  • CVE-2026-44979May 27, 2026
    affected < 9.3.5-r0fixed 9.3.5-r0

    ### Impact When `@hapi/wreck` follows a 3xx redirect to a different hostname, only the `Authorization` and `Cookie` headers are stripped. The standard credential header `Proxy-Authorization` is forwarded intact to the redirect target, potentially exposing forward-proxy credential

  • CVE-2026-44974higMay 27, 2026
    affected < 9.3.5-r0fixed 9.3.5-r0

    ### Impact The two parsers resolved duplicates inconsistently and silently: - `Content.disposition()` retained the last occurrence of each parameter. - `Content.type()` retained the first occurrence of charset and boundary. Either behavior creates a parameter-smuggling primitive

  • CVE-2026-8723MedMay 17, 2026
    affected < 9.3.5-r0fixed 9.3.5-r0

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-45736MedMay 15, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

  • CVE-2026-45740MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested

  • CVE-2026-44459LowMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. T

  • CVE-2026-44458MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS de

  • CVE-2026-44457MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticate

  • CVE-2026-44456MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 2

  • CVE-2026-44455MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a t

  • CVE-2026-44294MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded int

  • CVE-2026-44293HigMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a no

  • CVE-2026-44292MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message

  • CVE-2026-44291HigMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted,

Page 2 of 7