apk package
chainguard/litellm
pkg:apk/chainguard/litellm
Vulnerabilities (45)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-24486 | — | < 1.81.3.0-r1 | 1.81.3.0-r1 | Jan 27, 2026 | Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on th | ||
| CVE-2026-0994 | Hig | 7.5 | < 1.81.3.0-r0 | 1.81.3.0-r0 | Jan 23, 2026 | A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l | |
| CVE-2025-67221 | — | < 1.80.15.0-r1 | 1.80.15.0-r1 | Jan 22, 2026 | The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents. | ||
| CVE-2026-23490 | — | < 1.80.15.0-r1 | 1.80.15.0-r1 | Jan 16, 2026 | pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2. | ||
| CVE-2025-14546 | Med | 6.3 | < 1.83.10.0-r0 | 1.83.10.0-r0 | Dec 19, 2025 | Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist th |
- CVE-2026-24486Jan 27, 2026affected < 1.81.3.0-r1fixed 1.81.3.0-r1
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on th
- affected < 1.81.3.0-r0fixed 1.81.3.0-r0
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l
- CVE-2025-67221Jan 22, 2026affected < 1.80.15.0-r1fixed 1.80.15.0-r1
The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.
- CVE-2026-23490Jan 16, 2026affected < 1.80.15.0-r1fixed 1.80.15.0-r1
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
- affected < 1.83.10.0-r0fixed 1.83.10.0-r0
Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist th
Page 3 of 3