VYPR

apk package

chainguard/neo4j-5.26

pkg:apk/chainguard/neo4j-5.26

Vulnerabilities (35)

  • CVE-2026-54517medJun 23, 2026
    affected < 5.26.27-r3fixed 5.26.27-r3

    ## Summary In `BeanDeserializer._deserializeUsingPropertyBased`, the active-view (`@JsonView`) filter was applied only to creator properties; the regular property-buffering branch performed no `prop.visibleInView(activeView)` check. A change making `SetterlessProperty.isMerging()

  • CVE-2026-54514medJun 23, 2026
    affected < 5.26.27-r3fixed 5.26.27-r3

    ## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAdd

  • CVE-2026-54513higJun 23, 2026
    affected < 5.26.27-r3fixed 5.26.27-r3

    ## Summary `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an expli

  • CVE-2026-54512higJun 23, 2026
    affected < 5.26.27-r3fixed 5.26.27-r3

    `jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `<`), `DatabindContext._resolveAndVal

  • CVE-2026-54518medJun 23, 2026
    affected < 5.26.27-r3fixed 5.26.27-r3

    ## Summary `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters but never consults `prop.visibleInView(activeView)`. The normal property-based creator path gates creator properties on the active view, but this unwrapped-crea

  • CVE-2026-49268Jun 17, 2026
    affected < 5.26.27-r2fixed 5.26.27-r2

    A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attack

  • CVE-2026-45536MedJun 12, 2026
    affected < 5.26.27-r1fixed 5.26.27-r1

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_

  • CVE-2026-45416HigJun 12, 2026
    affected < 5.26.27-r1fixed 5.26.27-r1

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly all

  • CVE-2026-44249HigJun 11, 2026
    affected < 5.26.27-r1fixed 5.26.27-r1

    Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid pub

  • CVE-2026-45205MedMay 14, 2026
    affected < 5.26.25-r3fixed 5.26.25-r3

    Uncontrolled Recursion vulnerability in Apache Commons. When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles. This issue affects Apache Commons: from 2.2 before 2.15.0. Users are recommended to upgrade

  • CVE-2026-42587HigMay 13, 2026
    affected < 5.26.25-r2fixed 5.26.25-r2

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for

  • CVE-2026-42585MedMay 13, 2026
    affected < 5.26.25-r2fixed 5.26.25-r2

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

  • CVE-2026-42584HigMay 13, 2026
    affected < 5.26.25-r2fixed 5.26.25-r2

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the

  • CVE-2026-42583HigMay 13, 2026
    affected < 5.26.25-r2fixed 5.26.25-r2

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload

  • CVE-2026-42581MedMay 13, 2026
    affected < 5.26.25-r2fixed 5.26.25-r2

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. T

  • CVE-2026-42580MedMay 13, 2026
    affected < 5.26.25-r2fixed 5.26.25-r2

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

  • CVE-2026-42577HigMay 13, 2026
    affected < 5.26.25-r1fixed 5.26.25-r1

    Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some

  • CVE-2026-41417MedMay 6, 2026
    affected < 5.26.25-r2fixed 5.26.25-r2

    Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no

  • CVE-2026-2332HigApr 14, 2026
    affected < 5.26.25-r1fixed 5.26.25-r1

    In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty term

  • CVE-2026-34481HigApr 10, 2026
    affected < 5.26.23-r3fixed 5.26.23-r3

    Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohib

Page 1 of 2

VYPR — Vulnerability Intelligence