VYPR

apk package

chainguard/nemo

pkg:apk/chainguard/nemo

Vulnerabilities (169)

  • CVE-2026-33231Mar 20, 2026
    affected < 2.7.2-r1fixed 2.7.2-r1

    NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet B

  • CVE-2026-33230Mar 20, 2026
    affected < 2.7.2-r1fixed 2.7.2-r1

    NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `looku

  • CVE-2026-28500Mar 18, 2026
    affected < 2.7.2-r1fixed 2.7.2-r1

    Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is d

  • CVE-2026-32274Mar 12, 2026
    affected < 2.7.0-r2fixed 2.7.0-r2

    Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker wh

  • CVE-2026-31826Mar 10, 2026
    affected < 2.7.0-r2fixed 2.7.0-r2

    pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length insid

  • CVE-2026-27142MedMar 6, 2026
    affected < 2.7.0-r2fixed 2.7.0-r2

    Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap

  • CVE-2026-27139LowMar 6, 2026
    affected < 2.7.0-r2fixed 2.7.0-r2

    On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary

  • CVE-2026-25679HigMar 6, 2026
    affected < 2.7.0-r2fixed 2.7.0-r2

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2026-28351Feb 27, 2026
    affected < 2.7.0-r1fixed 2.7.0-r1

    pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.

  • CVE-2026-27141HigFeb 26, 2026
    affected < 2.7.0-r2fixed 2.7.0-r2

    Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

  • CVE-2025-14009Feb 18, 2026
    affected < 2.6.2-r3fixed 2.6.2-r3

    A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip pack

  • CVE-2025-69872CriFeb 11, 2026
    affected < 2.7.3-r0fixed 2.7.3-r0

    DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.

  • CVE-2026-26007Feb 10, 2026
    affected < 2.7.3-r2fixed 2.7.3-r2

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke

  • CVE-2026-25934Feb 9, 2026
    affected < 2.6.2-r2fixed 2.6.2-r2

    go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files,

  • CVE-2025-68121CriFeb 5, 2026
    affected < 2.6.2-r2fixed 2.6.2-r2

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

  • CVE-2025-61732Feb 5, 2026
    affected < 2.6.2-r2fixed 2.6.2-r2

    A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

  • CVE-2025-64712Feb 4, 2026
    affected < 2.6.1-r4fixed 2.6.1-r4

    The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or

  • CVE-2026-1703LowFeb 2, 2026
    affected < 2.6.1-r4fixed 2.6.1-r4

    When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat

  • CVE-2026-24688Jan 27, 2026
    affected < 2.6.1-r4fixed 2.6.1-r4

    pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.

  • CVE-2026-0994HigJan 23, 2026
    affected < 2.6.1-r4fixed 2.6.1-r4

    A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l

Page 5 of 9