VYPR

apk package

chainguard/opensearch-dashboards-2-fips

pkg:apk/chainguard/opensearch-dashboards-2-fips

Vulnerabilities (119)

  • CVE-2026-31802Mar 9, 2026
    affected < 2.19.5-r1fixed 2.19.5-r1

    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd dur

  • CVE-2026-29786Mar 7, 2026
    affected < 2.19.5-r0fixed 2.19.5-r0

    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar

  • CVE-2026-30827Mar 7, 2026
    affected < 2.19.4-r14fixed 2.19.4-r14

    express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6()

  • CVE-2026-29087HigMar 6, 2026
    affected < 2.19.5-r1fixed 2.19.5-r1

    @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resourc

  • CVE-2026-29085Mar 4, 2026
    affected < 2.19.5-r1fixed 2.19.5-r1

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters. Because the SSE proto

  • CVE-2026-29045Mar 4, 2026
    affected < 2.19.5-r1fixed 2.19.5-r1

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to

  • CVE-2026-29086Mar 4, 2026
    affected < 2.19.5-r1fixed 2.19.5-r1

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cooki

  • CVE-2026-0540Mar 3, 2026
    affected < 2.19.5-r1fixed 2.19.5-r1

    DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F

  • CVE-2025-15599Mar 3, 2026
    affected < 2.19.5-r1fixed 2.19.5-r1

    DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tag

  • CVE-2026-27904Feb 26, 2026
    affected < 2.19.4-r13fixed 2.19.4-r13

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh

  • CVE-2026-27903Feb 26, 2026
    affected < 2.19.4-r13fixed 2.19.4-r13

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a

  • CVE-2026-2739MedFeb 20, 2026
    affected < 2.19.4-r11fixed 2.19.4-r11

    This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

  • CVE-2026-26996Feb 20, 2026
    affected < 2.19.4-r13fixed 2.19.4-r13

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

  • CVE-2026-26960Feb 20, 2026
    affected < 2.19.5-r0fixed 2.19.5-r0

    node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as t

  • CVE-2026-2391Feb 12, 2026
    affected < 2.19.4-r10fixed 2.19.4-r10

    ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass

  • CVE-2025-69873LowFeb 11, 2026
    affected < 2.19.5-r5fixed 2.19.5-r5

    ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp(

  • CVE-2026-25639HigFeb 9, 2026
    affected < 2.19.4-r9fixed 2.19.4-r9

    Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providi

  • CVE-2026-25536Feb 4, 2026
    affected < 2.19.4-r9fixed 2.19.4-r9

    MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in st

  • CVE-2026-24842Jan 28, 2026
    affected < 2.19.5-r0fixed 2.19.5-r0

    node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that b

  • CVE-2025-13465MedJan 21, 2026
    affected < 2.19.4-r6fixed 2.19.4-r6

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin

Page 4 of 6