VYPR

apk package

chainguard/nemo

pkg:apk/chainguard/nemo

Vulnerabilities (169)

  • CVE-2026-54283higJun 15, 2026
    affected < 2.7.3-r8fixed 2.7.3-r8

    ### Summary `request.form()` accepts `max_fields` and `max_part_size` to bound resource consumption while parsing form data. These limits are enforced for `multipart/form-data`, but silently ignored for `application/x-www-form-urlencoded`. An unauthenticated attacker can therefor

  • CVE-2026-54282lowJun 15, 2026
    affected < 2.7.3-r8fixed 2.7.3-r8

    ### Summary In affected versions, the HTTP request path is not validated before being used to reconstruct `request.url`. Because `request.url` is rebuilt by concatenating `{scheme}://{host}{path}` and re-parsing the result, a path that does not begin with `/` (for example `@goog

  • CVE-2026-48818higJun 15, 2026
    affected < 2.7.3-r8fixed 2.7.3-r8

    ### Summary When serving static files on Windows, `StaticFiles` resolves the requested path with [`os.path.realpath`](https://docs.python.org/3/library/os.path.html#os.path.realpath). If a UNC path (such as `\\attacker.com\share`) reaches the resolver, `realpath` causes the proc

  • CVE-2026-48817Jun 15, 2026
    affected < 2.7.3-r8fixed 2.7.3-r8

    ### Summary When dispatching a request, `HTTPEndpoint` selects the handler by lowercasing the HTTP method and looking it up as an attribute with `getattr`, without restricting the lookup to a known set of HTTP verbs. When an `HTTPEndpoint` subclass is registered through `Route(

  • CVE-2026-45409MedJun 5, 2026
    affected < 2.7.3-r6fixed 2.7.3-r6

    Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize t

  • CVE-2026-42507MedJun 2, 2026
    affected < 2.7.3-r6fixed 2.7.3-r6

    When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

  • CVE-2026-42504HigJun 2, 2026
    affected < 2.7.3-r6fixed 2.7.3-r6

    Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

  • CVE-2026-27145MedJun 2, 2026
    affected < 2.7.3-r6fixed 2.7.3-r6

    (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic

  • CVE-2026-47265HigJun 2, 2026
    affected < 2.7.3-r6fixed 2.7.3-r6

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then

  • CVE-2026-34993MedJun 2, 2026
    affected < 2.7.3-r6fixed 2.7.3-r6

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is

  • CVE-2026-44740MedJun 1, 2026
    affected < 2.7.3-r4fixed 2.7.3-r4

    Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise

  • CVE-2026-44973HigMay 28, 2026
    affected < 2.7.3-r4fixed 2.7.3-r4

    Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories.

  • CVE-2026-45571MedMay 27, 2026
    affected < 2.7.3-r6fixed 2.7.3-r6

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These v

  • CVE-2026-45570CriMay 27, 2026
    affected < 2.7.3-r6fixed 2.7.3-r6

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A reposito

  • CVE-2026-45022HigMay 27, 2026
    affected < 2.7.3-r4fixed 2.7.3-r4

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representa

  • CVE-2026-48710MedMay 26, 2026
    affected < 2.7.3-r6fixed 2.7.3-r6

    Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` hea

  • CVE-2026-42506MedMay 22, 2026
    affected < 2.7.3-r6fixed 2.7.3-r6

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

  • CVE-2026-42502MedMay 22, 2026
    affected < 2.7.3-r6fixed 2.7.3-r6

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

  • CVE-2026-39821CriMay 22, 2026
    affected < 2.7.3-r6fixed 2.7.3-r6

    The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in program

  • CVE-2026-27136MedMay 22, 2026
    affected < 2.7.3-r6fixed 2.7.3-r6

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Page 1 of 9

VYPR — Vulnerability Intelligence