apk package
chainguard/nemo
pkg:apk/chainguard/nemo
Vulnerabilities (169)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33231 | — | < 2.7.2-r1 | 2.7.2-r1 | Mar 20, 2026 | NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet B | ||
| CVE-2026-33230 | — | < 2.7.2-r1 | 2.7.2-r1 | Mar 20, 2026 | NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `looku | ||
| CVE-2026-28500 | — | < 2.7.2-r1 | 2.7.2-r1 | Mar 18, 2026 | Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is d | ||
| CVE-2026-32274 | — | < 2.7.0-r2 | 2.7.0-r2 | Mar 12, 2026 | Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker wh | ||
| CVE-2026-31826 | — | < 2.7.0-r2 | 2.7.0-r2 | Mar 10, 2026 | pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length insid | ||
| CVE-2026-27142 | Med | 6.1 | < 2.7.0-r2 | 2.7.0-r2 | Mar 6, 2026 | Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap | |
| CVE-2026-27139 | Low | 2.5 | < 2.7.0-r2 | 2.7.0-r2 | Mar 6, 2026 | On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary | |
| CVE-2026-25679 | Hig | 7.5 | < 2.7.0-r2 | 2.7.0-r2 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2026-28351 | — | < 2.7.0-r1 | 2.7.0-r1 | Feb 27, 2026 | pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7. | ||
| CVE-2026-27141 | Hig | 7.5 | < 2.7.0-r2 | 2.7.0-r2 | Feb 26, 2026 | Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic | |
| CVE-2025-14009 | — | < 2.6.2-r3 | 2.6.2-r3 | Feb 18, 2026 | A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip pack | ||
| CVE-2025-69872 | Cri | 9.8 | < 2.7.3-r0 | 2.7.3-r0 | Feb 11, 2026 | DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache. | |
| CVE-2026-26007 | — | < 2.7.3-r2 | 2.7.3-r2 | Feb 10, 2026 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke | ||
| CVE-2026-25934 | — | < 2.6.2-r2 | 2.6.2-r2 | Feb 9, 2026 | go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, | ||
| CVE-2025-68121 | Cri | 10.0 | < 2.6.2-r2 | 2.6.2-r2 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-61732 | — | < 2.6.2-r2 | 2.6.2-r2 | Feb 5, 2026 | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | ||
| CVE-2025-64712 | — | < 2.6.1-r4 | 2.6.1-r4 | Feb 4, 2026 | The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or | ||
| CVE-2026-1703 | Low | — | < 2.6.1-r4 | 2.6.1-r4 | Feb 2, 2026 | When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat | |
| CVE-2026-24688 | — | < 2.6.1-r4 | 2.6.1-r4 | Jan 27, 2026 | pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6. | ||
| CVE-2026-0994 | Hig | 7.5 | < 2.6.1-r4 | 2.6.1-r4 | Jan 23, 2026 | A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l |
- CVE-2026-33231Mar 20, 2026affected < 2.7.2-r1fixed 2.7.2-r1
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet B
- CVE-2026-33230Mar 20, 2026affected < 2.7.2-r1fixed 2.7.2-r1
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `looku
- CVE-2026-28500Mar 18, 2026affected < 2.7.2-r1fixed 2.7.2-r1
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is d
- CVE-2026-32274Mar 12, 2026affected < 2.7.0-r2fixed 2.7.0-r2
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker wh
- CVE-2026-31826Mar 10, 2026affected < 2.7.0-r2fixed 2.7.0-r2
pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length insid
- affected < 2.7.0-r2fixed 2.7.0-r2
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
- affected < 2.7.0-r2fixed 2.7.0-r2
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
- affected < 2.7.0-r2fixed 2.7.0-r2
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- CVE-2026-28351Feb 27, 2026affected < 2.7.0-r1fixed 2.7.0-r1
pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.
- affected < 2.7.0-r2fixed 2.7.0-r2
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
- CVE-2025-14009Feb 18, 2026affected < 2.6.2-r3fixed 2.6.2-r3
A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip pack
- affected < 2.7.3-r0fixed 2.7.3-r0
DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.
- CVE-2026-26007Feb 10, 2026affected < 2.7.3-r2fixed 2.7.3-r2
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke
- CVE-2026-25934Feb 9, 2026affected < 2.6.2-r2fixed 2.6.2-r2
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files,
- affected < 2.6.2-r2fixed 2.6.2-r2
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-61732Feb 5, 2026affected < 2.6.2-r2fixed 2.6.2-r2
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
- CVE-2025-64712Feb 4, 2026affected < 2.6.1-r4fixed 2.6.1-r4
The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or
- affected < 2.6.1-r4fixed 2.6.1-r4
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat
- CVE-2026-24688Jan 27, 2026affected < 2.6.1-r4fixed 2.6.1-r4
pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.
- affected < 2.6.1-r4fixed 2.6.1-r4
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l
Page 5 of 9