VYPR

apk package

chainguard/opensearch-dashboards-2-alerting-dashboards-plugin

pkg:apk/chainguard/opensearch-dashboards-2-alerting-dashboards-plugin

Vulnerabilities (55)

  • CVE-2025-15284Dec 29, 2025
    affected < 2.19.4-r10fixed 2.19.4-r10

    Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLim

  • CVE-2025-66414HigDec 2, 2025
    affected < 2.19.4-r3fixed 2.19.4-r3

    MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on l

  • CVE-2025-66031HigNov 26, 2025
    affected < 2.19.4-r2fixed 2.19.4-r2

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re

  • CVE-2025-66030MedNov 26, 2025
    affected < 2.19.4-r2fixed 2.19.4-r2

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs.

  • CVE-2025-12816HigNov 25, 2025
    affected < 2.19.4-r2fixed 2.19.4-r2

    An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s

  • CVE-2025-13466MedNov 24, 2025
    affected < 2.19.4-r2fixed 2.19.4-r2

    body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and mem

  • CVE-2025-64718MedNov 13, 2025
    affected < 2.19.4-r1fixed 2.19.4-r1

    js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T

  • CVE-2025-57319HigSep 24, 2025
    affected < 0fixed 0

    fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denia

  • CVE-2025-57352MedSep 24, 2025
    affected < 2.19.4-r15fixed 2.19.4-r15

    A vulnerability exists in the 'min-document' package prior to version 2.19.0, stemming from improper handling of namespace operations in the removeAttributeNS method. By processing malicious input involving the __proto__ property, an attacker can manipulate the prototype chain of

  • CVE-2025-58754HigSep 12, 2025
    affected < 2.19.4-r0fixed 2.19.4-r0

    Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire

  • CVE-2025-57810HigAug 26, 2025
    affected < 2.19.4-r0fixed 2.19.4-r0

    jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provid

  • CVE-2025-54798LowAug 7, 2025
    affected < 2.19.2-r5fixed 2.19.2-r5

    tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.

  • CVE-2025-7783CriJul 18, 2025
    affected < 2.19.2-r4fixed 2.19.2-r4

    Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

  • CVE-2025-5889LowJun 9, 2025
    affected < 2.19.2-r2fixed 2.19.2-r2

    A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l

  • CVE-2025-29907HigMar 18, 2025
    affected < 2.19.1-r3fixed 2.19.1-r3

    jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.1, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitised image urls to the addImage method, a user can provide a harm

  • CVE-2025-27789MedMar 11, 2025
    affected < 2.19.1-r1fixed 2.19.1-r1

    Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specif

  • CVE-2025-25977CriMar 10, 2025
    affected < 2.19.1-r2fixed 2.19.1-r2

    An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.

  • CVE-2025-27152MedMar 7, 2025
    affected < 2.19.4-r0fixed 2.19.4-r0

    axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka

  • CVE-2025-26791MedFeb 14, 2025
    affected < 2.19.0-r1fixed 2.19.0-r1

    DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

  • CVE-2024-11831MedFeb 10, 2025
    affected < 2.19.4-r0fixed 2.19.4-r0

    A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed whe