VYPR

apk package

chainguard/langfuse-3-worker

pkg:apk/chainguard/langfuse-3-worker

Vulnerabilities (129)

  • CVE-2026-27139LowMar 6, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary

  • CVE-2026-25679HigMar 6, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2026-29087HigMar 6, 2026
    affected < 3.160.0-r1fixed 3.160.0-r1

    @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resourc

  • CVE-2026-0540Mar 3, 2026
    affected < 3.160.0-r1fixed 3.160.0-r1

    DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F

  • CVE-2025-15599Mar 3, 2026
    affected < 3.160.0-r1fixed 3.160.0-r1

    DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tag

  • CVE-2026-3449LowMar 3, 2026
    affected < 3.164.0-r1fixed 3.164.0-r1

    Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang

  • CVE-2026-27901Feb 26, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the

  • CVE-2026-27699Feb 25, 2026
    affected < 3.155.1-r3fixed 3.155.1-r3

    The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause fil

  • CVE-2026-27606Feb 25, 2026
    affected < 3.155.1-r3fixed 3.155.1-r3

    Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine a

  • CVE-2026-27125Feb 20, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. ) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype

  • CVE-2026-27122Feb 20, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can res

  • CVE-2026-27121Feb 20, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML o

  • CVE-2026-26996Feb 20, 2026
    affected < 3.155.1-r2fixed 3.155.1-r2

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

  • CVE-2026-2391Feb 12, 2026
    affected < 3.155.1-r2fixed 3.155.1-r2

    ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass

  • CVE-2025-69873LowFeb 11, 2026
    affected < 3.155.1-r2fixed 3.155.1-r2

    ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp(

  • CVE-2026-25639HigFeb 9, 2026
    affected < 3.153.0-r2fixed 3.153.0-r2

    Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providi

  • CVE-2026-25528MedFeb 9, 2026
    affected < 3.153.0-r2fixed 3.153.0-r2

    LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, ca

  • CVE-2025-68157Feb 5, 2026
    affected < 3.155.1-r2fixed 3.155.1-r2

    Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a resul

  • CVE-2025-68458Feb 5, 2026
    affected < 3.155.1-r2fixed 3.155.1-r2

    Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@h

  • CVE-2025-68121CriFeb 5, 2026
    affected < 3.163.0-r0fixed 3.163.0-r0

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

Page 5 of 7