VYPR

apk package

chainguard/kube-fluentd-operator

pkg:apk/chainguard/kube-fluentd-operator

Vulnerabilities (114)

  • CVE-2026-34829HigApr 2, 2026
    affected < 1.18.2-r67fixed 1.18.2-r67

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HT

  • CVE-2026-34826MedApr 2, 2026
    affected < 1.18.2-r67fixed 1.18.2-r67

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte c

  • CVE-2026-34786MedApr 2, 2026
    affected < 1.18.2-r67fixed 1.18.2-r67

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a re

  • CVE-2026-34785HigApr 2, 2026
    affected < 1.18.2-r67fixed 1.18.2-r67

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path

  • CVE-2026-34763MedApr 2, 2026
    affected < 1.18.2-r67fixed 1.18.2-r67

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or .,

  • CVE-2026-34230MedApr 2, 2026
    affected < 1.18.2-r67fixed 1.18.2-r67

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Defl

  • CVE-2026-26961LowApr 2, 2026
    affected < 1.18.2-r67fixed 1.18.2-r67

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack sel

  • CVE-2026-33176Mar 23, 2026
    affected < 1.18.2-r60fixed 1.18.2-r60

    Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands

  • CVE-2026-33170Mar 23, 2026
    affected < 1.18.2-r60fixed 1.18.2-r60

    Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in pl

  • CVE-2026-33169Mar 23, 2026
    affected < 1.18.2-r60fixed 1.18.2-r60

    Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the i

  • CVE-2026-27142MedMar 6, 2026
    affected < 1.18.2-r58fixed 1.18.2-r58

    Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap

  • CVE-2026-27139LowMar 6, 2026
    affected < 1.18.2-r58fixed 1.18.2-r58

    On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary

  • CVE-2026-25679HigMar 6, 2026
    affected < 1.18.2-r58fixed 1.18.2-r58

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2026-25500Feb 18, 2026
    affected < 1.18.2-r60fixed 1.18.2-r60

    Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g.

  • CVE-2026-22860Feb 18, 2026
    affected < 1.18.2-r60fixed 1.18.2-r60

    Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root stri

  • CVE-2026-25765Feb 9, 2026
    affected < 1.18.2-r60fixed 1.18.2-r60

    Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per

  • CVE-2025-68121CriFeb 5, 2026
    affected < 1.18.2-r56fixed 1.18.2-r56

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

  • CVE-2025-61732Feb 5, 2026
    affected < 1.18.2-r56fixed 1.18.2-r56

    A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

  • CVE-2025-14762MedDec 17, 2025
    affected < 1.18.2-r54fixed 1.18.2-r54

    Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitiga

  • CVE-2025-65637Dec 4, 2025
    affected < 1.18.2-r53fixed 1.18.2-r53

    A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is

Page 3 of 6