VYPR

apk package

chainguard/opensearch-dashboards-2-fips-index-management-dashboards-plugin

pkg:apk/chainguard/opensearch-dashboards-2-fips-index-management-dashboards-plugin

Vulnerabilities (57)

  • CVE-2026-12143HigJun 12, 2026
    affected < 2.19.5-r16fixed 2.19.5-r16

    form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee

  • CVE-2026-49982HigJun 11, 2026
    affected < 2.19.5-r16fixed 2.19.5-r16

    tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any obje

  • CVE-2026-44705HigJun 11, 2026
    affected < 2.19.5-r13fixed 2.19.5-r13

    tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal

  • CVE-2026-8723MedMay 17, 2026
    affected < 2.19.5-r11fixed 2.19.5-r11

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-41907HigApr 24, 2026
    affected < 2.19.5-r10fixed 2.19.5-r10

    uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi

  • CVE-2026-4800HigMar 31, 2026
    affected < 2.19.5-r7fixed 2.19.5-r7

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a

  • CVE-2026-2950MedMar 31, 2026
    affected < 2.19.5-r7fixed 2.19.5-r7

    Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca

  • CVE-2026-31938Mar 18, 2026
    affected < 2.19.5-r1fixed 2.19.5-r1

    jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be e

  • CVE-2026-31898Mar 18, 2026
    affected < 2.19.5-r1fixed 2.19.5-r1

    jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following meth

  • CVE-2026-31988MedMar 11, 2026
    affected < 2.19.5-r0fixed 2.19.5-r0

    yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allo

  • CVE-2026-0540Mar 3, 2026
    affected < 2.19.4-r14fixed 2.19.4-r14

    DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F

  • CVE-2026-25940Feb 19, 2026
    affected < 2.19.4-r10fixed 2.19.4-r10

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following pr

  • CVE-2026-25755Feb 19, 2026
    affected < 2.19.4-r10fixed 2.19.4-r10

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker ca

  • CVE-2026-25535Feb 19, 2026
    affected < 2.19.4-r10fixed 2.19.4-r10

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF

  • CVE-2026-2391Feb 12, 2026
    affected < 2.19.4-r10fixed 2.19.4-r10

    ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass

  • CVE-2026-24040Feb 2, 2026
    affected < 2.19.4-r7fixed 2.19.4-r7

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared

  • CVE-2026-24043Feb 2, 2026
    affected < 2.19.4-r7fixed 2.19.4-r7

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP me

  • CVE-2026-24133Feb 2, 2026
    affected < 2.19.4-r7fixed 2.19.4-r7

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file

  • CVE-2026-24737Feb 2, 2026
    affected < 2.19.4-r7fixed 2.19.4-r7

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following me

  • CVE-2025-13465MedJan 21, 2026
    affected < 2.19.4-r6fixed 2.19.4-r6

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin

Page 1 of 3