VYPR

apk package

chainguard/mise

pkg:apk/chainguard/mise

Vulnerabilities (5)

  • CVE-2026-6967MedApr 24, 2026
    affected < 2026.5.8-r0fixed 2026.5.8-r0

    Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the lo

  • CVE-2026-6966MedApr 24, 2026
    affected < 2026.5.8-r0fixed 2026.5.8-r0

    Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged

  • CVE-2026-33056Mar 20, 2026
    affected < 2026.3.17-r0fixed 2026.3.17-r0

    tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links,

  • CVE-2026-33055Mar 20, 2026
    affected < 2026.3.17-r0fixed 2026.3.17-r0

    tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX siz

  • CVE-2026-32766MedMar 20, 2026
    affected < 2026.4.15-r0fixed 2026.4.15-r0

    astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building bl