VYPR

apk package

chainguard/langfuse-fips-3-worker

pkg:apk/chainguard/langfuse-fips-3-worker

Vulnerabilities (136)

  • CVE-2026-48068higJun 11, 2026
    affected < 3.186.0-r0fixed 3.186.0-r0

    ### Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4

  • CVE-2026-48069higJun 11, 2026
    affected < 3.186.0-r0fixed 3.186.0-r0

    ### Impact An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5

  • CVE-2026-45149MedMay 29, 2026
    affected < 3.175.0-r0fixed 3.175.0-r0

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 mill

  • CVE-2026-45134HigMay 27, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize

  • CVE-2026-44902HigMay 27, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a requ

  • CVE-2026-8723MedMay 17, 2026
    affected < 3.176.0-r0fixed 3.176.0-r0

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-45773MedMay 15, 2026
    affected < 3.175.0-r0fixed 3.175.0-r0

    Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web

  • CVE-2026-45772CriMay 15, 2026
    affected < 3.175.0-r0fixed 3.175.0-r0

    Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package m

  • CVE-2026-45736MedMay 15, 2026
    affected < 3.175.0-r0fixed 3.175.0-r0

    ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

  • CVE-2026-45740MedMay 13, 2026
    affected < 3.175.0-r0fixed 3.175.0-r0

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested

  • CVE-2026-44459LowMay 13, 2026
    affected < 3.176.0-r0fixed 3.176.0-r0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. T

  • CVE-2026-44458MedMay 13, 2026
    affected < 3.176.0-r0fixed 3.176.0-r0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS de

  • CVE-2026-44457MedMay 13, 2026
    affected < 3.176.0-r0fixed 3.176.0-r0

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticate

  • CVE-2026-42338MedMay 12, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi

  • CVE-2026-42264HigMay 8, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnPropert

  • CVE-2026-41650MedMay 7, 2026
    affected < 3.164.0-r7fixed 3.164.0-r7

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This

  • CVE-2026-6322HigMay 5, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw

  • CVE-2026-6321HigMay 4, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize

  • CVE-2026-41907HigApr 24, 2026
    affected < 3.164.0-r7fixed 3.164.0-r7

    uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi

  • CVE-2026-42044MedApr 24, 2026
    affected < 3.174.1-r0fixed 3.174.1-r0

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, in

Page 2 of 7