VYPR

apk package

chainguard/kibana-9.3

pkg:apk/chainguard/kibana-9.3

Vulnerabilities (127)

  • CVE-2026-48049Jun 11, 2026
    affected < 9.3.6-r0fixed 9.3.6-r0

    ### Impact `@hapi/inert` serves static files from a directory configured with `path` (in the `directory` / `file` handlers) or `relativeTo` (for `h.file()`), with confinement enforced by the `confine` option (default `true`). Before the patch, the confinement check compared the r

  • CVE-2026-48068higJun 11, 2026
    affected < 9.3.5-r3fixed 9.3.5-r3

    ### Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4

  • CVE-2026-48069higJun 11, 2026
    affected < 9.3.5-r3fixed 9.3.5-r3

    ### Impact An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5

  • CVE-2026-48022Jun 11, 2026
    affected < 9.3.5-r3fixed 9.3.5-r3

    ### Impact Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes

  • CVE-2026-46625HigJun 10, 2026
    affected < 9.3.5-r2fixed 9.3.5-r2

    JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an o

  • CVE-2026-45149MedMay 29, 2026
    affected < 9.3.5-r1fixed 9.3.5-r1

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 mill

  • CVE-2026-44902HigMay 27, 2026
    affected < 9.3.5-r0fixed 9.3.5-r0

    opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a requ

  • CVE-2026-44979May 27, 2026
    affected < 9.3.5-r0fixed 9.3.5-r0

    ### Impact When `@hapi/wreck` follows a 3xx redirect to a different hostname, only the `Authorization` and `Cookie` headers are stripped. The standard credential header `Proxy-Authorization` is forwarded intact to the redirect target, potentially exposing forward-proxy credential

  • CVE-2026-44974higMay 27, 2026
    affected < 9.3.5-r0fixed 9.3.5-r0

    ### Impact The two parsers resolved duplicates inconsistently and silently: - `Content.disposition()` retained the last occurrence of each parameter. - `Content.type()` retained the first occurrence of charset and boundary. Either behavior creates a parameter-smuggling primitive

  • CVE-2026-8723MedMay 17, 2026
    affected < 9.3.5-r0fixed 9.3.5-r0

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-45736MedMay 15, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

  • CVE-2026-45740MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested

  • CVE-2026-44459LowMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. T

  • CVE-2026-44458MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS de

  • CVE-2026-44457MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticate

  • CVE-2026-44456MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 2

  • CVE-2026-44455MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a t

  • CVE-2026-44294MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded int

  • CVE-2026-44293HigMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a no

  • CVE-2026-44292MedMay 13, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message

Page 2 of 7