VYPR

apk package

chainguard/kibana-9.4

pkg:apk/chainguard/kibana-9.4

Vulnerabilities (67)

  • CVE-2026-46625HigJun 10, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an o

  • CVE-2026-47676MedMay 28, 2026
    affected < 9.4.2-r3fixed 9.4.2-r3

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsis

  • CVE-2026-47675MedMay 28, 2026
    affected < 9.4.2-r3fixed 9.4.2-r3

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same vali

  • CVE-2026-45134HigMay 27, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize

  • CVE-2026-44724HigMay 27, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable v

  • CVE-2026-45618criMay 27, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    ### Summary It is possible to execute arbitrary code with crafted templates ### Details `1|valueOf` -> `this` when evaluating the filter ```liquid {%assign r=1|valueOf%} {{r|inspect}} ``` ```json {"context":{"scopes":[{"r":"[Circular]"}],"re

  • CVE-2026-45617higMay 27, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    ## Summary The built-in `strip_html` filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many `<script`, `<style`, or `<!--` opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the No

  • CVE-2026-45357higMay 27, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    ## Summary The `date` filter's strftime implementation parses width specifiers like `%9999999d` and forwards the captured width unchecked into `pad()`/`padStart()` in `src/util/underscore.ts`. The pad loop performs unbounded string concatenation without consulting the Context's

  • CVE-2026-44902HigMay 27, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a requ

  • CVE-2026-44979May 27, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    ### Impact When `@hapi/wreck` follows a 3xx redirect to a different hostname, only the `Authorization` and `Cookie` headers are stripped. The standard credential header `Proxy-Authorization` is forwarded intact to the redirect target, potentially exposing forward-proxy credential

  • CVE-2026-44974higMay 27, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    ### Impact The two parsers resolved duplicates inconsistently and silently: - `Content.disposition()` retained the last occurrence of each parameter. - `Content.type()` retained the first occurrence of charset and boundary. Either behavior creates a parameter-smuggling primitive

  • CVE-2026-44646May 27, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    ## Summary `Context.spawn()` in liquidjs creates a child `Context` for the `{% render %}` tag but does not propagate the parent context's resolved `ownPropertyOnly` value. The new context re-derives `ownPropertyOnly` from `opts.ownPropertyOnly` (the instance-level option), silen

  • CVE-2026-44645May 27, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    ## Summary The `renderLimit` option — documented in `docs/source/tutorials/dos.md` as the mechanism that "mitigates this by limiting the time consumed by each render() call" — can be fully bypassed by a `{% for %}` (or `{% tablerow %}`) tag whose body is empty. The per-iteration

  • CVE-2026-44644May 27, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    ## Summary The `strip_html` filter in liquidjs is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (`<.*?>`) does not match line terminators, so any HTML tag containing a `

  • CVE-2026-8723MedMay 17, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-45736MedMay 15, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

  • CVE-2026-45740MedMay 13, 2026
    affected < 9.4.2-r2fixed 9.4.2-r2

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested

  • CVE-2026-44665MedMay 13, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.

  • CVE-2026-44664MedMay 13, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out o

  • CVE-2026-44459LowMay 13, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. T