apk package
chainguard/langfuse-fips-3-worker
pkg:apk/chainguard/langfuse-fips-3-worker
Vulnerabilities (136)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32763 | Hig | 8.2 | < 3.162.0-r1 | 3.162.0-r1 | Mar 20, 2026 | Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly i | |
| CVE-2026-2229 | — | < 3.179.1-r1 | 3.179.1-r1 | Mar 12, 2026 | ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d | ||
| CVE-2026-1528 | — | < 3.179.1-r1 | 3.179.1-r1 | Mar 12, 2026 | ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version | ||
| CVE-2026-1527 | — | < 3.179.1-r1 | 3.179.1-r1 | Mar 12, 2026 | ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Mem | ||
| CVE-2026-1526 | — | < 3.179.1-r1 | 3.179.1-r1 | Mar 12, 2026 | The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en | ||
| CVE-2026-1525 | — | < 3.179.1-r1 | 3.179.1-r1 | Mar 12, 2026 | Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * | ||
| CVE-2026-32141 | — | < 3.162.0-r1 | 3.162.0-r1 | Mar 12, 2026 | flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, caus | ||
| CVE-2026-30827 | — | < 3.162.0-r1 | 3.162.0-r1 | Mar 7, 2026 | express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() | ||
| CVE-2026-27142 | Med | 6.1 | < 3.162.0-r1 | 3.162.0-r1 | Mar 6, 2026 | Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap | |
| CVE-2026-27139 | Low | 2.5 | < 3.162.0-r1 | 3.162.0-r1 | Mar 6, 2026 | On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary | |
| CVE-2026-25679 | Hig | 7.5 | < 3.162.0-r1 | 3.162.0-r1 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2026-29087 | Hig | 7.5 | < 3.160.0-r1 | 3.160.0-r1 | Mar 6, 2026 | @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resourc | |
| CVE-2026-0540 | — | < 3.160.0-r1 | 3.160.0-r1 | Mar 3, 2026 | DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F | ||
| CVE-2025-15599 | — | < 3.160.0-r1 | 3.160.0-r1 | Mar 3, 2026 | DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tag | ||
| CVE-2026-3449 | Low | 3.3 | < 3.164.0-r1 | 3.164.0-r1 | Mar 3, 2026 | Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang | |
| CVE-2026-27901 | — | < 3.163.0-r0 | 3.163.0-r0 | Feb 26, 2026 | Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the | ||
| CVE-2026-27699 | — | < 3.155.1-r3 | 3.155.1-r3 | Feb 25, 2026 | The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause fil | ||
| CVE-2026-27606 | — | < 3.155.1-r3 | 3.155.1-r3 | Feb 25, 2026 | Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine a | ||
| CVE-2026-27125 | — | < 3.163.0-r0 | 3.163.0-r0 | Feb 20, 2026 | svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. ) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype | ||
| CVE-2026-27122 | — | < 3.163.0-r0 | 3.163.0-r0 | Feb 20, 2026 | svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can res |
- affected < 3.162.0-r1fixed 3.162.0-r1
Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly i
- CVE-2026-2229Mar 12, 2026affected < 3.179.1-r1fixed 3.179.1-r1
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d
- CVE-2026-1528Mar 12, 2026affected < 3.179.1-r1fixed 3.179.1-r1
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version
- CVE-2026-1527Mar 12, 2026affected < 3.179.1-r1fixed 3.179.1-r1
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Mem
- CVE-2026-1526Mar 12, 2026affected < 3.179.1-r1fixed 3.179.1-r1
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en
- CVE-2026-1525Mar 12, 2026affected < 3.179.1-r1fixed 3.179.1-r1
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: *
- CVE-2026-32141Mar 12, 2026affected < 3.162.0-r1fixed 3.162.0-r1
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, caus
- CVE-2026-30827Mar 7, 2026affected < 3.162.0-r1fixed 3.162.0-r1
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6()
- affected < 3.162.0-r1fixed 3.162.0-r1
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
- affected < 3.162.0-r1fixed 3.162.0-r1
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
- affected < 3.162.0-r1fixed 3.162.0-r1
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- affected < 3.160.0-r1fixed 3.160.0-r1
@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resourc
- CVE-2026-0540Mar 3, 2026affected < 3.160.0-r1fixed 3.160.0-r1
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F
- CVE-2025-15599Mar 3, 2026affected < 3.160.0-r1fixed 3.160.0-r1
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tag
- affected < 3.164.0-r1fixed 3.164.0-r1
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang
- CVE-2026-27901Feb 26, 2026affected < 3.163.0-r0fixed 3.163.0-r0
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the
- CVE-2026-27699Feb 25, 2026affected < 3.155.1-r3fixed 3.155.1-r3
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause fil
- CVE-2026-27606Feb 25, 2026affected < 3.155.1-r3fixed 3.155.1-r3
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine a
- CVE-2026-27125Feb 20, 2026affected < 3.163.0-r0fixed 3.163.0-r0
svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. ) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype
- CVE-2026-27122Feb 20, 2026affected < 3.163.0-r0fixed 3.163.0-r0
svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can res
Page 5 of 7