apk package
chainguard/kserve-storage-controller
pkg:apk/chainguard/kserve-storage-controller
Vulnerabilities (70)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-24049 | — | < 0.16.0-r11 | 0.16.0-r11 | Jan 22, 2026 | wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil | ||
| CVE-2025-67221 | — | < 0.16.0-r11 | 0.16.0-r11 | Jan 22, 2026 | The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents. | ||
| CVE-2026-23949 | — | < 0.16.0-r11 | 0.16.0-r11 | Jan 20, 2026 | jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta | ||
| CVE-2026-23490 | — | < 0.16.0-r9 | 0.16.0-r9 | Jan 16, 2026 | pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2. | ||
| CVE-2026-21226 | — | < 0.16.0-r9 | 0.16.0-r9 | Jan 13, 2026 | Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network. | ||
| CVE-2026-21441 | — | < 0.16.0-r8 | 0.16.0-r8 | Jan 7, 2026 | urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b | ||
| CVE-2025-69230 | — | < 0.17.0-r2 | 0.17.0-r2 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w | ||
| CVE-2025-69229 | — | < 0.17.0-r2 | 0.17.0-r2 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method | ||
| CVE-2025-69228 | — | < 0.17.0-r2 | 0.17.0-r2 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ | ||
| CVE-2025-69227 | — | < 0.17.0-r2 | 0.17.0-r2 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI | ||
| CVE-2025-69225 | — | < 0.17.0-r2 | 0.17.0-r2 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi | ||
| CVE-2025-69226 | — | < 0.17.0-r2 | 0.17.0-r2 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica | ||
| CVE-2025-69224 | — | < 0.17.0-r2 | 0.17.0-r2 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u | ||
| CVE-2025-69223 | — | < 0.17.0-r2 | 0.17.0-r2 | Jan 5, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust | ||
| CVE-2025-68476 | Hig | — | < 0.16.0-r7 | 0.16.0-r7 | Dec 22, 2025 | KEDA is a Kubernetes-based Event Driven Autoscaling component. Prior to versions 2.17.3 and 2.18.3, an Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication to configure HashiCorp Vault authenticatio | |
| CVE-2025-68156 | — | < 0.16.0-r4 | 0.16.0-r4 | Dec 16, 2025 | Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursi | ||
| CVE-2025-68146 | — | < 0.16.0-r7 | 0.16.0-r7 | Dec 16, 2025 | filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows | ||
| CVE-2025-66471 | — | < 0.16.0-r6 | 0.16.0-r6 | Dec 5, 2025 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu | ||
| CVE-2025-66418 | — | < 0.16.0-r6 | 0.16.0-r6 | Dec 5, 2025 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a | ||
| CVE-2025-61729 | — | < 0.16.0-r2 | 0.16.0-r2 | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a |
- CVE-2026-24049Jan 22, 2026affected < 0.16.0-r11fixed 0.16.0-r11
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil
- CVE-2025-67221Jan 22, 2026affected < 0.16.0-r11fixed 0.16.0-r11
The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.
- CVE-2026-23949Jan 20, 2026affected < 0.16.0-r11fixed 0.16.0-r11
jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta
- CVE-2026-23490Jan 16, 2026affected < 0.16.0-r9fixed 0.16.0-r9
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
- CVE-2026-21226Jan 13, 2026affected < 0.16.0-r9fixed 0.16.0-r9
Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.
- CVE-2026-21441Jan 7, 2026affected < 0.16.0-r8fixed 0.16.0-r8
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b
- CVE-2025-69230Jan 5, 2026affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w
- CVE-2025-69229Jan 5, 2026affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method
- CVE-2025-69228Jan 5, 2026affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ
- CVE-2025-69227Jan 5, 2026affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI
- CVE-2025-69225Jan 5, 2026affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi
- CVE-2025-69226Jan 5, 2026affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica
- CVE-2025-69224Jan 5, 2026affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u
- CVE-2025-69223Jan 5, 2026affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust
- affected < 0.16.0-r7fixed 0.16.0-r7
KEDA is a Kubernetes-based Event Driven Autoscaling component. Prior to versions 2.17.3 and 2.18.3, an Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication to configure HashiCorp Vault authenticatio
- CVE-2025-68156Dec 16, 2025affected < 0.16.0-r4fixed 0.16.0-r4
Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursi
- CVE-2025-68146Dec 16, 2025affected < 0.16.0-r7fixed 0.16.0-r7
filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows
- CVE-2025-66471Dec 5, 2025affected < 0.16.0-r6fixed 0.16.0-r6
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu
- CVE-2025-66418Dec 5, 2025affected < 0.16.0-r6fixed 0.16.0-r6
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a
- CVE-2025-61729Dec 2, 2025affected < 0.16.0-r2fixed 0.16.0-r2
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
Page 2 of 4