VYPR

apk package

chainguard/kibana-9.3

pkg:apk/chainguard/kibana-9.3

Vulnerabilities (127)

  • CVE-2026-42035HigApr 24, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability ex

  • CVE-2026-42034MedApr 24, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets

  • CVE-2026-42033HigApr 24, 2026
    affected < 9.3.4-r4fixed 9.3.4-r4

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON respo

  • CVE-2026-41324HigApr 24, 2026
    affected < 9.3.3-r5fixed 9.3.3-r5

    basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing

  • CVE-2026-41182MedApr 23, 2026
    affected < 9.3.3-r4fixed 9.3.3-r4

    LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls (hideOutputs in JS, hide_outputs in Python) do not apply to streaming

  • CVE-2026-41242CriApr 18, 2026
    affected < 9.3.3-r5fixed 9.3.3-r5

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that definition. Versions 8.0.1 an

  • CVE-2026-56761medApr 16, 2026
    affected < 9.3.3-r4fixed 9.3.3-r4

    ## Summary Improper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output. When untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag boundaries

  • CVE-2026-40190MedApr 10, 2026
    affected < 9.3.3-r4fixed 9.3.3-r4

    LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function onl

  • CVE-2026-40175MedApr 10, 2026
    affected < 9.3.3-r4fixed 9.3.3-r4

    Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound

  • CVE-2026-39983HigApr 9, 2026
    affected < 9.3.3-r4fixed 9.3.3-r4

    basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's pro

  • CVE-2025-62718CriApr 9, 2026
    affected < 9.3.3-r4fixed 9.3.3-r4

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_

  • CVE-2026-39859HigApr 8, 2026
    affected < 9.3.3-r0fixed 9.3.3-r0

    LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance configu

  • CVE-2026-39412MedApr 8, 2026
    affected < 9.3.3-r0fixed 9.3.3-r0

    LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel

  • CVE-2026-35525HigApr 8, 2026
    affected < 9.3.3-r0fixed 9.3.3-r0

    LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is

  • CVE-2026-34166LowApr 8, 2026
    affected < 9.3.3-r0fixed 9.3.3-r0

    LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to

  • CVE-2026-39410MedApr 8, 2026
    affected < 9.3.3-r0fixed 9.3.3-r0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may

  • CVE-2026-39409MedApr 8, 2026
    affected < 9.3.3-r0fixed 9.3.3-r0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-s

  • CVE-2026-39408HigApr 8, 2026
    affected < 9.3.3-r0fixed 9.3.3-r0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgP

  • CVE-2026-39407MedApr 8, 2026
    affected < 9.3.3-r0fixed 9.3.3-r0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g.,

  • CVE-2026-39406MedApr 8, 2026
    affected < 9.3.3-r4fixed 9.3.3-r4

    @hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used f

Page 4 of 7