VYPR

apk package

chainguard/logstash-8.18-env2yaml

pkg:apk/chainguard/logstash-8.18-env2yaml

Vulnerabilities (17)

  • CVE-2026-27142MedMar 6, 2026
    affected < 8.18.8-r15fixed 8.18.8-r15

    Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap

  • CVE-2026-27139LowMar 6, 2026
    affected < 8.18.8-r15fixed 8.18.8-r15

    On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary

  • CVE-2026-25679HigMar 6, 2026
    affected < 8.18.8-r15fixed 8.18.8-r15

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2025-68121CriFeb 5, 2026
    affected < 8.18.8-r10fixed 8.18.8-r10

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

  • CVE-2025-61732Feb 5, 2026
    affected < 8.18.8-r10fixed 8.18.8-r10

    A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

  • CVE-2025-14762MedDec 17, 2025
    affected < 8.18.8-r5fixed 8.18.8-r5

    Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitiga

  • CVE-2025-67735Dec 16, 2025
    affected < 8.18.8-r4fixed 8.18.8-r4

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

  • CVE-2025-61727Dec 3, 2025
    affected < 8.18.8-r3fixed 8.18.8-r3

    An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

  • CVE-2025-61729Dec 2, 2025
    affected < 8.18.8-r3fixed 8.18.8-r3

    Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a

  • CVE-2025-61921Oct 10, 2025
    affected < 8.18.8-r2fixed 8.18.8-r2

    Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the respon

  • CVE-2025-61919Oct 10, 2025
    affected < 8.18.8-r2fixed 8.18.8-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large

  • CVE-2025-61780Oct 10, 2025
    affected < 8.18.8-r2fixed 8.18.8-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could ca

  • CVE-2025-61772Oct 7, 2025
    affected < 8.18.8-r1fixed 8.18.8-r1

    Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incomin

  • CVE-2025-61771Oct 7, 2025
    affected < 8.18.8-r1fixed 8.18.8-r1

    Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request

  • CVE-2025-61770Oct 7, 2025
    affected < 8.18.8-r1fixed 8.18.8-r1

    Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid

  • CVE-2025-58057Sep 3, 2025
    affected < 8.18.6-r1fixed 8.18.6-r1

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s

  • CVE-2025-58056Sep 3, 2025
    affected < 8.18.6-r1fixed 8.18.6-r1

    Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch