VYPR

apk package

chainguard/label-studio

pkg:apk/chainguard/label-studio

Vulnerabilities (36)

  • CVE-2026-44660HigMay 27, 2026
    affected < 1.23.0-r5fixed 1.23.0-r5

    UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each fa

  • CVE-2026-44432HigMay 13, 2026
    affected < 1.23.0-r5fixed 1.23.0-r5

    urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w

  • CVE-2026-44431MedMay 13, 2026
    affected < 1.23.0-r5fixed 1.23.0-r5

    urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

  • CVE-2026-41066HigApr 24, 2026
    affected < 1.23.0-r4fixed 1.23.0-r4

    lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolv

  • CVE-2026-39892CriApr 8, 2026
    affected < 1.23.0-r3fixed 1.23.0-r3

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner

  • CVE-2026-4292LowApr 7, 2026
    affected < 1.23.0-r3fixed 1.23.0-r3

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using `ModelAdmin.list_editable` incorrectly allowed new instances to be created via forged `POST` data. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.

  • CVE-2026-4277CriApr 7, 2026
    affected < 1.23.0-r3fixed 1.23.0-r3

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2

  • CVE-2026-3902HigApr 7, 2026
    affected < 1.23.0-r3fixed 1.23.0-r3

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlie

  • CVE-2026-33034HigApr 7, 2026
    affected < 1.23.0-r3fixed 1.23.0-r3

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an

  • CVE-2026-33033MedApr 7, 2026
    affected < 1.23.0-r3fixed 1.23.0-r3

    An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Dj

  • CVE-2026-25645Mar 25, 2026
    affected < 1.23.0-r1fixed 1.23.0-r1

    Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid

  • CVE-2026-4539LowMar 22, 2026
    affected < 1.23.0-r2fixed 1.23.0-r2

    A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit

  • CVE-2026-33231Mar 20, 2026
    affected < 1.23.0-r1fixed 1.23.0-r1

    NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet B

  • CVE-2026-33230Mar 20, 2026
    affected < 1.23.0-r1fixed 1.23.0-r1

    NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `looku

  • CVE-2026-30922HigMar 18, 2026
    affected < 1.23.0-r1fixed 1.23.0-r1

    pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousa

  • CVE-2026-32597HigMar 13, 2026
    affected < 1.23.0-r0fixed 1.23.0-r0

    PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token i

  • CVE-2026-32274Mar 12, 2026
    affected < 1.23.0-r0fixed 1.23.0-r0

    Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker wh

  • CVE-2026-28350Mar 5, 2026
    affected < 1.22.0-r7fixed 1.22.0-r7

    lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the tag passes through the default Cleaner configuration. While page_structure=True removes html, head, and title tags, there is no specific handling for <

  • CVE-2026-28348Mar 5, 2026
    affected < 1.22.0-r7fixed 1.22.0-r7

    lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.4, the _has_sneaky_javascript() method strips backslashes before checking for dangerous CSS keywords. This causes CSS Unicode escape sequences to bypass the @import

  • CVE-2026-25674Mar 3, 2026
    affected < 1.22.0-r7fixed 1.22.0-r7

    An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, w

Page 1 of 2