VYPR

apk package

chainguard/knative-kafka-broker-1.20-receiver-loom

pkg:apk/chainguard/knative-kafka-broker-1.20-receiver-loom

Vulnerabilities (28)

  • CVE-2026-41417MedMay 6, 2026
    affected < 1.20.3-r6fixed 1.20.3-r6

    Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no

  • CVE-2026-6860MedMay 6, 2026
    affected < 1.20.3-r6fixed 1.20.3-r6

    A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.

  • CVE-2026-35554HigApr 7, 2026
    affected < 1.20.3-r2fixed 1.20.3-r2

    A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch

  • CVE-2026-33871Mar 27, 2026
    affected < 1.20.2-r7fixed 1.20.2-r7

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o

  • CVE-2026-1002Jan 15, 2026
    affected < 1.20.2-r3fixed 1.20.2-r3

    The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Co

  • CVE-2025-67735Dec 16, 2025
    affected < 1.20.2-r4fixed 1.20.2-r4

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

  • CVE-2025-66566HigDec 5, 2025
    affected < 1.20.3-r0fixed 1.20.3-r0

    yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the

  • CVE-2025-12183HigNov 28, 2025
    affected < 1.20.2-r2fixed 1.20.2-r2

    Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.

Page 2 of 2