VYPR

apk package

chainguard/kibana-9.3

pkg:apk/chainguard/kibana-9.3

Vulnerabilities (127)

  • CVE-2026-26278Feb 19, 2026
    affected < 9.3.0-r1fixed 9.3.0-r1

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML inpu

  • CVE-2026-2327Feb 12, 2026
    affected < 9.3.0-r1fixed 9.3.0-r1

    Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character

  • CVE-2025-69873LowFeb 11, 2026
    affected < 9.3.2-r0fixed 9.3.2-r0

    ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp(

  • CVE-2026-25639HigFeb 9, 2026
    affected < 9.3.0-r1fixed 9.3.0-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providi

  • CVE-2026-25528MedFeb 9, 2026
    affected < 9.3.0-r2fixed 9.3.0-r2

    LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, ca

  • CVE-2026-25128Jan 30, 2026
    affected < 9.3.0-r1fixed 9.3.0-r1

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML

  • CVE-2025-68154Dec 16, 2025
    affected < 9.3.0-r1fixed 9.3.0-r1

    systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell com

Page 7 of 7