VYPR

apk package

chainguard/localstack

pkg:apk/chainguard/localstack

Vulnerabilities (102)

  • CVE-2026-27138MedMar 6, 2026
    affected < 4.14.0-r7fixed 4.14.0-r7

    Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

  • CVE-2026-27137HigMar 6, 2026
    affected < 4.14.0-r7fixed 4.14.0-r7

    When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

  • CVE-2026-25679HigMar 6, 2026
    affected < 4.14.0-r7fixed 4.14.0-r7

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2026-27932Mar 3, 2026
    affected < 4.14.0-r1fixed 4.14.0-r1

    joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In 1.6.2 and earlier, a resource exhaustion vulnerability in joserfc allows an unauthenticated attacker to cause a Denial of Service (DoS) via CPU exhaustio

  • CVE-2026-27199Feb 21, 2026
    affected < 4.13.1-r2fixed 4.13.1-r2

    Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account f

  • CVE-2026-26007Feb 10, 2026
    affected < 4.13.1-r2fixed 4.13.1-r2

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke

  • CVE-2025-68121CriFeb 5, 2026
    affected < 4.14.0-r0fixed 4.14.0-r0

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

  • CVE-2025-58190Feb 5, 2026
    affected < 4.14.0-r6fixed 4.14.0-r6

    The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

  • CVE-2025-47911Feb 5, 2026
    affected < 4.14.0-r6fixed 4.14.0-r6

    The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

  • CVE-2025-61732Feb 5, 2026
    affected < 4.14.0-r0fixed 4.14.0-r0

    A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

  • CVE-2026-1703LowFeb 2, 2026
    affected < 4.14.0-r6fixed 4.14.0-r6

    When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat

  • CVE-2025-61728Jan 28, 2026
    affected < 4.14.0-r0fixed 4.14.0-r0

    archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

  • CVE-2025-61726Jan 28, 2026
    affected < 4.14.0-r0fixed 4.14.0-r0

    The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la

  • CVE-2025-61730Jan 28, 2026
    affected < 4.14.0-r0fixed 4.14.0-r0

    During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor i

  • CVE-2025-61731Jan 28, 2026
    affected < 4.14.0-r0fixed 4.14.0-r0

    Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can

  • CVE-2025-68119Jan 28, 2026
    affected < 4.14.0-r0fixed 4.14.0-r0

    Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are

  • CVE-2026-0994HigJan 23, 2026
    affected < 4.13.1-r1fixed 4.13.1-r1

    A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l

  • CVE-2026-1225LowJan 22, 2026
    affected < 4.14.0-r11fixed 4.14.0-r11

    ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instanti

  • CVE-2025-71176MedJan 22, 2026
    affected < 4.14.0-r8fixed 4.14.0-r8

    pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

  • CVE-2026-24049Jan 22, 2026
    affected < 4.14.0-r6fixed 4.14.0-r6

    wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil

Page 3 of 6