apk package
chainguard/opensearch-dashboards-2-dashboards-reporting
pkg:apk/chainguard/opensearch-dashboards-2-dashboards-reporting
Vulnerabilities (61)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-24040 | — | < 2.19.4-r7 | 2.19.4-r7 | Feb 2, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared | ||
| CVE-2026-24043 | — | < 2.19.4-r7 | 2.19.4-r7 | Feb 2, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP me | ||
| CVE-2026-24133 | — | < 2.19.4-r7 | 2.19.4-r7 | Feb 2, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file | ||
| CVE-2026-24737 | — | < 2.19.4-r7 | 2.19.4-r7 | Feb 2, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following me | ||
| CVE-2025-13465 | Med | 5.3 | < 2.19.4-r6 | 2.19.4-r6 | Jan 21, 2026 | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin | |
| CVE-2025-68428 | — | < 2.19.4-r7 | 2.19.4-r7 | Jan 5, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user | ||
| CVE-2026-0621 | — | < 2.19.4-r4 | 2.19.4-r4 | Jan 5, 2026 | Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching | ||
| CVE-2025-15284 | — | < 2.19.4-r10 | 2.19.4-r10 | Dec 29, 2025 | Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLim | ||
| CVE-2025-66414 | — | < 2.19.4-r3 | 2.19.4-r3 | Dec 2, 2025 | MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on l | ||
| CVE-2025-66030 | — | < 2.19.4-r2 | 2.19.4-r2 | Nov 26, 2025 | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. | ||
| CVE-2025-66031 | — | < 2.19.4-r2 | 2.19.4-r2 | Nov 26, 2025 | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re | ||
| CVE-2025-12816 | — | < 2.19.4-r2 | 2.19.4-r2 | Nov 25, 2025 | An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s | ||
| CVE-2025-13466 | Med | — | < 2.19.4-r2 | 2.19.4-r2 | Nov 24, 2025 | body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and mem | |
| CVE-2025-64718 | — | < 2.19.4-r1 | 2.19.4-r1 | Nov 13, 2025 | js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T | ||
| CVE-2025-57319 | Hig | 7.5 | < 0 | 0 | Sep 24, 2025 | fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denia | |
| CVE-2025-58754 | — | < 2.19.3-r0 | 2.19.3-r0 | Sep 12, 2025 | Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire | ||
| CVE-2025-57810 | — | < 2.19.4-r7 | 2.19.4-r7 | Aug 26, 2025 | jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provid | ||
| CVE-2025-54798 | — | < 2.19.2-r5 | 2.19.2-r5 | Aug 7, 2025 | tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4. | ||
| CVE-2025-7783 | Cri | — | < 2.19.2-r4 | 2.19.2-r4 | Jul 18, 2025 | Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3. | |
| CVE-2025-5889 | Low | 3.1 | < 2.19.2-r2 | 2.19.2-r2 | Jun 9, 2025 | A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l |
- CVE-2026-24040Feb 2, 2026affected < 2.19.4-r7fixed 2.19.4-r7
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared
- CVE-2026-24043Feb 2, 2026affected < 2.19.4-r7fixed 2.19.4-r7
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP me
- CVE-2026-24133Feb 2, 2026affected < 2.19.4-r7fixed 2.19.4-r7
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file
- CVE-2026-24737Feb 2, 2026affected < 2.19.4-r7fixed 2.19.4-r7
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following me
- affected < 2.19.4-r6fixed 2.19.4-r6
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin
- CVE-2025-68428Jan 5, 2026affected < 2.19.4-r7fixed 2.19.4-r7
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user
- CVE-2026-0621Jan 5, 2026affected < 2.19.4-r4fixed 2.19.4-r4
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching
- CVE-2025-15284Dec 29, 2025affected < 2.19.4-r10fixed 2.19.4-r10
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLim
- CVE-2025-66414Dec 2, 2025affected < 2.19.4-r3fixed 2.19.4-r3
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on l
- CVE-2025-66030Nov 26, 2025affected < 2.19.4-r2fixed 2.19.4-r2
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs.
- CVE-2025-66031Nov 26, 2025affected < 2.19.4-r2fixed 2.19.4-r2
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re
- CVE-2025-12816Nov 25, 2025affected < 2.19.4-r2fixed 2.19.4-r2
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s
- affected < 2.19.4-r2fixed 2.19.4-r2
body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and mem
- CVE-2025-64718Nov 13, 2025affected < 2.19.4-r1fixed 2.19.4-r1
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T
- affected < 0fixed 0
fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denia
- CVE-2025-58754Sep 12, 2025affected < 2.19.3-r0fixed 2.19.3-r0
Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire
- CVE-2025-57810Aug 26, 2025affected < 2.19.4-r7fixed 2.19.4-r7
jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provid
- CVE-2025-54798Aug 7, 2025affected < 2.19.2-r5fixed 2.19.2-r5
tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.
- affected < 2.19.2-r4fixed 2.19.2-r4
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
- affected < 2.19.2-r2fixed 2.19.2-r2
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l
Page 2 of 4