apk package
chainguard/nemo
pkg:apk/chainguard/nemo
Vulnerabilities (169)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42499 | Hig | 7.5 | < 2.7.3-r4 | 2.7.3-r4 | May 7, 2026 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | |
| CVE-2026-39836 | Hig | 7.5 | < 2.7.3-r4 | 2.7.3-r4 | May 7, 2026 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | |
| CVE-2026-39826 | Med | 6.1 | < 2.7.3-r4 | 2.7.3-r4 | May 7, 2026 | If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block. | |
| CVE-2026-39825 | Med | 5.3 | < 2.7.3-r4 | 2.7.3-r4 | May 7, 2026 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa | |
| CVE-2026-39823 | Med | 6.1 | < 2.7.3-r4 | 2.7.3-r4 | May 7, 2026 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le | |
| CVE-2026-39820 | Hig | 7.5 | < 2.7.3-r4 | 2.7.3-r4 | May 7, 2026 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. | |
| CVE-2026-39819 | Med | 5.3 | < 2.7.3-r4 | 2.7.3-r4 | May 7, 2026 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink. | |
| CVE-2026-39817 | Med | 5.9 | < 2.7.3-r4 | 2.7.3-r4 | May 7, 2026 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem. | |
| CVE-2026-33814 | Hig | 7.5 | < 2.7.3-r4 | 2.7.3-r4 | May 7, 2026 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. | |
| CVE-2026-33811 | Hig | 7.5 | < 2.7.3-r4 | 2.7.3-r4 | May 7, 2026 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. | |
| CVE-2026-44405 | Low | 3.4 | < 2.7.3-r2 | 2.7.3-r2 | May 6, 2026 | In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm. | |
| CVE-2026-6357 | Med | — | < 2.7.3-r2 | 2.7.3-r2 | Apr 27, 2026 | pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update funct | |
| CVE-2026-41066 | Hig | 7.5 | < 2.7.2-r2 | 2.7.2-r2 | Apr 24, 2026 | lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolv | |
| CVE-2026-41205 | Hig | 7.5 | < 2.7.2-r2 | 2.7.2-r2 | Apr 23, 2026 | Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable | |
| CVE-2026-41314 | Med | 6.5 | < 2.7.2-r2 | 2.7.2-r2 | Apr 22, 2026 | pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fi | |
| CVE-2026-41313 | Med | 6.5 | < 2.7.2-r2 | 2.7.2-r2 | Apr 22, 2026 | pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer `/Size` value in incremental mode. This has been fixed | |
| CVE-2026-41312 | Med | 6.5 | < 2.7.2-r2 | 2.7.2-r2 | Apr 22, 2026 | pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 | |
| CVE-2026-41168 | Med | 5.3 | < 2.7.2-r2 | 2.7.2-r2 | Apr 22, 2026 | pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong large | |
| CVE-2026-3219 | Med | — | < 2.7.3-r2 | 2.7.3-r2 | Apr 20, 2026 | pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior | |
| CVE-2026-40491 | Med | 6.5 | < 2.7.2-r2 | 2.7.2-r2 | Apr 18, 2026 | gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the a |
- affected < 2.7.3-r4fixed 2.7.3-r4
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
- affected < 2.7.3-r4fixed 2.7.3-r4
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
- affected < 2.7.3-r4fixed 2.7.3-r4
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
- affected < 2.7.3-r4fixed 2.7.3-r4
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
- affected < 2.7.3-r4fixed 2.7.3-r4
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le
- affected < 2.7.3-r4fixed 2.7.3-r4
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
- affected < 2.7.3-r4fixed 2.7.3-r4
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
- affected < 2.7.3-r4fixed 2.7.3-r4
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
- affected < 2.7.3-r4fixed 2.7.3-r4
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
- affected < 2.7.3-r4fixed 2.7.3-r4
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
- affected < 2.7.3-r2fixed 2.7.3-r2
In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.
- affected < 2.7.3-r2fixed 2.7.3-r2
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update funct
- affected < 2.7.2-r2fixed 2.7.2-r2
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolv
- affected < 2.7.2-r2fixed 2.7.2-r2
Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable
- affected < 2.7.2-r2fixed 2.7.2-r2
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fi
- affected < 2.7.2-r2fixed 2.7.2-r2
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer `/Size` value in incremental mode. This has been fixed
- affected < 2.7.2-r2fixed 2.7.2-r2
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1
- affected < 2.7.2-r2fixed 2.7.2-r2
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong large
- affected < 2.7.3-r2fixed 2.7.3-r2
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior
- affected < 2.7.2-r2fixed 2.7.2-r2
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the a
Page 3 of 9