VYPR

apk package

chainguard/nacos

pkg:apk/chainguard/nacos

Vulnerabilities (41)

  • CVE-2026-34483HigApr 9, 2026
    affected < 3.2.0-r6fixed 3.2.0-r6

    Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version

  • CVE-2026-32990MedApr 9, 2026
    affected < 3.2.0-r6fixed 3.2.0-r6

    Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20,

  • CVE-2026-29146HigApr 9, 2026
    affected < 3.2.0-r6fixed 3.2.0-r6

    Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

  • CVE-2026-29145CriApr 9, 2026
    affected < 3.2.0-r6fixed 3.2.0-r6

    CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115;

  • CVE-2026-29129HigApr 9, 2026
    affected < 3.2.0-r6fixed 3.2.0-r6

    Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116,

  • CVE-2026-25854MedApr 9, 2026
    affected < 3.2.0-r6fixed 3.2.0-r6

    Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through

  • CVE-2026-35568MedApr 7, 2026
    affected < 3.2.0-r6fixed 3.2.0-r6

    MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to 1.0.0, the java-sdk contains a DNS rebinding vulnerability. This vulnerability allows an attacker to access a locally or network-private java-sdk MCP server via a victims browser that i

  • CVE-2026-34237MedMar 31, 2026
    affected < 3.2.0-r6fixed 3.2.0-r6

    MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 0.83.0, 1.0.1, and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 0.83.0, 1.0.1, and 1.1.1.

  • CVE-2026-22737MedMar 20, 2026
    affected < 3.2.0-r1fixed 3.2.0-r1

    Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 throug

  • CVE-2026-22735LowMar 20, 2026
    affected < 3.2.0-r1fixed 3.2.0-r1

    Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

  • CVE-2026-22732CriMar 19, 2026
    affected < 3.2.0-r1fixed 3.2.0-r1

    When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0

  • CVE-2026-24734Feb 17, 2026
    affected < 3.1.1-r5fixed 3.1.1-r5

    Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revo

  • CVE-2026-24733Feb 17, 2026
    affected < 3.1.1-r4fixed 3.1.1-r4

    Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending

  • CVE-2025-66614Feb 17, 2026
    affected < 3.1.1-r4fixed 3.1.1-r4

    Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through

  • CVE-2026-1225LowJan 22, 2026
    affected < 3.1.1-r1fixed 3.1.1-r1

    ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instanti

  • CVE-2025-61795MedOct 27, 2025
    affected < 3.1.0-r2fixed 3.1.0-r2

    Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage co

  • CVE-2025-11226MedOct 1, 2025
    affected < 3.1.0-r1fixed 3.1.0-r1

    ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment varia

  • CVE-2025-41249HigSep 16, 2025
    affected < 3.1.0-r0fixed 3.1.0-r0

    The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m

  • CVE-2025-41248HigSep 16, 2025
    affected < 3.1.0-r0fixed 3.1.0-r0

    The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in a

  • CVE-2025-53864MedJul 11, 2025
    affected < 3.2.0-r2fixed 3.2.0-r2

    Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue beca