VYPR

apk package

chainguard/kibana-9.4

pkg:apk/chainguard/kibana-9.4

Vulnerabilities (67)

  • CVE-2026-2950MedMar 31, 2026
    affected < 9.4.2-r0fixed 9.4.2-r0

    Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca

  • CVE-2026-33532MedMar 26, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive funct

  • CVE-2026-3449LowMar 3, 2026
    affected < 9.4.1-r2fixed 9.4.1-r2

    Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang

  • CVE-2026-2739MedFeb 20, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

  • CVE-2026-26318Feb 19, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized `locate` output in `versions()`. Version 5.31.0 fixes the issue.

  • CVE-2026-26280Feb 19, 2026
    affected < 9.4.2-r1fixed 9.4.2-r1

    systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry co

  • CVE-2024-53382Mar 3, 2025
    affected < 9.4.2-r1fixed 9.4.2-r1

    Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

Page 4 of 4