VYPR

apk package

chainguard/kibana-9.4-iamguarded

pkg:apk/chainguard/kibana-9.4-iamguarded

Vulnerabilities (67)

  • CVE-2026-11525lowJun 17, 2026
    affected < 9.4.2-r5fixed 9.4.2-r5

    undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

  • CVE-2026-6733lowJun 17, 2026
    affected < 9.4.2-r5fixed 9.4.2-r5

    undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.

  • CVE-2026-9678modJun 17, 2026
    affected < 9.4.2-r5fixed 9.4.2-r5

    undici: Undici: Information disclosure due to improper cache-control header parsing

  • CVE-2026-9679modJun 17, 2026
    affected < 9.4.2-r5fixed 9.4.2-r5

    undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

  • CVE-2026-9697impJun 17, 2026
    affected < 9.4.2-r5fixed 9.4.2-r5

    undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy

  • CVE-2026-6734impJun 17, 2026
    affected < 9.4.2-r5fixed 9.4.2-r5

    undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing

  • CVE-2026-12151impJun 17, 2026
    affected < 9.4.2-r5fixed 9.4.2-r5

    undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

  • CVE-2026-48988Jun 15, 2026
    affected < 9.4.2-r6fixed 9.4.2-r6

    ### Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule (enabled via the `typographer: true` option). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, lea

  • CVE-2026-49978Jun 15, 2026
    affected < 9.4.2-r6fixed 9.4.2-r6

    If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript:

  • CVE-2026-49459Jun 15, 2026
    affected < 9.4.2-r6fixed 9.4.2-r6

    # IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — silent no-op when `_forceRemove` is cal

  • CVE-2026-53550Jun 15, 2026
    affected < 9.4.2-r6fixed 9.4.2-r6

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-48779higJun 15, 2026
    affected < 9.4.2-r4fixed 9.4.2-r4

    ### Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, lea

  • CVE-2026-44494HigJun 11, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-

  • CVE-2026-44492HigJun 11, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:

  • CVE-2026-44490MedJun 11, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios sil

  • CVE-2026-44489LowJun 11, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209

  • CVE-2026-48049Jun 11, 2026
    affected < 9.4.2-r3fixed 9.4.2-r3

    ### Impact `@hapi/inert` serves static files from a directory configured with `path` (in the `directory` / `file` handlers) or `relativeTo` (for `h.file()`), with confinement enforced by the `confine` option (default `true`). Before the patch, the confinement check compared the r

  • CVE-2026-48068higJun 11, 2026
    affected < 9.4.2-r3fixed 9.4.2-r3

    ### Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4

  • CVE-2026-48069higJun 11, 2026
    affected < 9.4.2-r3fixed 9.4.2-r3

    ### Impact An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5

  • CVE-2026-48022Jun 11, 2026
    affected < 9.4.2-r3fixed 9.4.2-r3

    ### Impact Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes

Page 1 of 4