VYPR

apk package

chainguard/nemo

pkg:apk/chainguard/nemo

Vulnerabilities (169)

  • CVE-2026-42499HigMay 7, 2026
    affected < 2.7.3-r4fixed 2.7.3-r4

    Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

  • CVE-2026-39836HigMay 7, 2026
    affected < 2.7.3-r4fixed 2.7.3-r4

    The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

  • CVE-2026-39826MedMay 7, 2026
    affected < 2.7.3-r4fixed 2.7.3-r4

    If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.

  • CVE-2026-39825MedMay 7, 2026
    affected < 2.7.3-r4fixed 2.7.3-r4

    ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa

  • CVE-2026-39823MedMay 7, 2026
    affected < 2.7.3-r4fixed 2.7.3-r4

    CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le

  • CVE-2026-39820HigMay 7, 2026
    affected < 2.7.3-r4fixed 2.7.3-r4

    Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

  • CVE-2026-39819MedMay 7, 2026
    affected < 2.7.3-r4fixed 2.7.3-r4

    The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

  • CVE-2026-39817MedMay 7, 2026
    affected < 2.7.3-r4fixed 2.7.3-r4

    The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

  • CVE-2026-33814HigMay 7, 2026
    affected < 2.7.3-r4fixed 2.7.3-r4

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-33811HigMay 7, 2026
    affected < 2.7.3-r4fixed 2.7.3-r4

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2026-44405LowMay 6, 2026
    affected < 2.7.3-r2fixed 2.7.3-r2

    In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.

  • CVE-2026-6357MedApr 27, 2026
    affected < 2.7.3-r2fixed 2.7.3-r2

    pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update funct

  • CVE-2026-41066HigApr 24, 2026
    affected < 2.7.2-r2fixed 2.7.2-r2

    lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolv

  • CVE-2026-41205HigApr 23, 2026
    affected < 2.7.2-r2fixed 2.7.2-r2

    Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable

  • CVE-2026-41314MedApr 22, 2026
    affected < 2.7.2-r2fixed 2.7.2-r2

    pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fi

  • CVE-2026-41313MedApr 22, 2026
    affected < 2.7.2-r2fixed 2.7.2-r2

    pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer `/Size` value in incremental mode. This has been fixed

  • CVE-2026-41312MedApr 22, 2026
    affected < 2.7.2-r2fixed 2.7.2-r2

    pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1

  • CVE-2026-41168MedApr 22, 2026
    affected < 2.7.2-r2fixed 2.7.2-r2

    pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong large

  • CVE-2026-3219MedApr 20, 2026
    affected < 2.7.3-r2fixed 2.7.3-r2

    pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior

  • CVE-2026-40491MedApr 18, 2026
    affected < 2.7.2-r2fixed 2.7.2-r2

    gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the a

Page 3 of 9