VYPR

apk package

chainguard/kibana-9.4

pkg:apk/chainguard/kibana-9.4

Vulnerabilities (67)

  • CVE-2026-44458MedMay 13, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS de

  • CVE-2026-44457MedMay 13, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticate

  • CVE-2026-44456MedMay 13, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 2

  • CVE-2026-44455MedMay 13, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a t

  • CVE-2026-44294MedMay 13, 2026
    affected < 9.4.2-r2fixed 9.4.2-r2

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded int

  • CVE-2026-44293HigMay 13, 2026
    affected < 9.4.2-r2fixed 9.4.2-r2

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a no

  • CVE-2026-44292MedMay 13, 2026
    affected < 9.4.2-r2fixed 9.4.2-r2

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message

  • CVE-2026-44291HigMay 13, 2026
    affected < 9.4.2-r2fixed 9.4.2-r2

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted,

  • CVE-2026-44290HigMay 13, 2026
    affected < 9.4.2-r2fixed 9.4.2-r2

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause optio

  • CVE-2026-44289HigMay 13, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.

  • CVE-2026-44288MedMay 13, 2026
    affected < 9.4.2-r2fixed 9.4.2-r2

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can

  • CVE-2026-44240HigMay 12, 2026
    affected < 9.4.1-r0fixed 9.4.1-r0

    basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner p

  • CVE-2026-42338MedMay 12, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi

  • CVE-2026-41311HigMay 9, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FA

  • CVE-2026-41650MedMay 7, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This

  • CVE-2026-6322HigMay 5, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw

  • CVE-2026-6321HigMay 4, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize

  • CVE-2026-41907HigApr 24, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi

  • CVE-2026-41324HigApr 24, 2026
    affected < 9.4.1-r0fixed 9.4.1-r0

    basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing

  • CVE-2026-4800HigMar 31, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a