apk package
chainguard/langfuse-fips-2-worker
pkg:apk/chainguard/langfuse-fips-2-worker
Vulnerabilities (108)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33750 | Med | 6.5 | < 2.95.12-r20 | 2.95.12-r20 | Mar 27, 2026 | The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process | |
| CVE-2026-33672 | Med | 5.3 | < 2.95.12-r20 | 2.95.12-r20 | Mar 26, 2026 | Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions | |
| CVE-2026-33671 | Hig | 7.5 | < 2.95.12-r20 | 2.95.12-r20 | Mar 26, 2026 | Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when c | |
| CVE-2026-33532 | Med | 4.3 | < 2.95.12-r20 | 2.95.12-r20 | Mar 26, 2026 | `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive funct | |
| CVE-2026-4867 | Hig | 7.5 | < 2.95.12-r20 | 2.95.12-r20 | Mar 26, 2026 | Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambigu | |
| CVE-2026-33468 | Hig | 8.1 | < 2.95.12-r19 | 2.95.12-r19 | Mar 26, 2026 | Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ES | |
| CVE-2026-33349 | — | < 2.95.12-r19 | 2.95.12-r19 | Mar 24, 2026 | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration | ||
| CVE-2026-33228 | — | < 2.95.12-r19 | 2.95.12-r19 | Mar 20, 2026 | flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, a | ||
| CVE-2026-33036 | — | < 2.95.12-r19 | 2.95.12-r19 | Mar 20, 2026 | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa | ||
| CVE-2026-32763 | Hig | 8.2 | < 2.95.12-r19 | 2.95.12-r19 | Mar 20, 2026 | Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly i | |
| CVE-2026-32141 | — | < 2.95.12-r19 | 2.95.12-r19 | Mar 12, 2026 | flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, caus | ||
| CVE-2026-31988 | Med | 5.3 | < 2.95.12-r16 | 2.95.12-r16 | Mar 11, 2026 | yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allo | |
| CVE-2026-27142 | Med | 6.1 | < 0 | 0 | Mar 6, 2026 | Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap | |
| CVE-2026-27139 | Low | 2.5 | < 2.95.12-r16 | 2.95.12-r16 | Mar 6, 2026 | On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary | |
| CVE-2026-25679 | Hig | 7.5 | < 2.95.12-r16 | 2.95.12-r16 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2026-0540 | — | < 2.95.12-r16 | 2.95.12-r16 | Mar 3, 2026 | DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F | ||
| CVE-2025-15599 | — | < 2.95.12-r16 | 2.95.12-r16 | Mar 3, 2026 | DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tag | ||
| CVE-2026-3449 | Low | 3.3 | < 2.95.12-r31 | 2.95.12-r31 | Mar 3, 2026 | Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang | |
| CVE-2026-27699 | — | < 2.95.12-r15 | 2.95.12-r15 | Feb 25, 2026 | The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause fil | ||
| CVE-2026-27606 | — | < 2.95.12-r15 | 2.95.12-r15 | Feb 25, 2026 | Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine a |
- affected < 2.95.12-r20fixed 2.95.12-r20
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process
- affected < 2.95.12-r20fixed 2.95.12-r20
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions
- affected < 2.95.12-r20fixed 2.95.12-r20
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when c
- affected < 2.95.12-r20fixed 2.95.12-r20
`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive funct
- affected < 2.95.12-r20fixed 2.95.12-r20
Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambigu
- affected < 2.95.12-r19fixed 2.95.12-r19
Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQueryCompiler.sanitizeStringLiteral()` only escapes single quotes by doubling them (`'` → `''`) but does not escape backslashes. When used with the MySQL dialect (where `NO_BACKSLASH_ES
- CVE-2026-33349Mar 24, 2026affected < 2.95.12-r19fixed 2.95.12-r19
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration
- CVE-2026-33228Mar 20, 2026affected < 2.95.12-r19fixed 2.95.12-r19
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, a
- CVE-2026-33036Mar 20, 2026affected < 2.95.12-r19fixed 2.95.12-r19
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa
- affected < 2.95.12-r19fixed 2.95.12-r19
Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly i
- CVE-2026-32141Mar 12, 2026affected < 2.95.12-r19fixed 2.95.12-r19
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, caus
- affected < 2.95.12-r16fixed 2.95.12-r16
yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allo
- affected < 0fixed 0
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
- affected < 2.95.12-r16fixed 2.95.12-r16
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
- affected < 2.95.12-r16fixed 2.95.12-r16
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- CVE-2026-0540Mar 3, 2026affected < 2.95.12-r16fixed 2.95.12-r16
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F
- CVE-2025-15599Mar 3, 2026affected < 2.95.12-r16fixed 2.95.12-r16
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tag
- affected < 2.95.12-r31fixed 2.95.12-r31
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang
- CVE-2026-27699Feb 25, 2026affected < 2.95.12-r15fixed 2.95.12-r15
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause fil
- CVE-2026-27606Feb 25, 2026affected < 2.95.12-r15fixed 2.95.12-r15
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine a
Page 4 of 6