VYPR

apk package

chainguard/opensearch-dashboards-3-alerting-dashboards-plugin

pkg:apk/chainguard/opensearch-dashboards-3-alerting-dashboards-plugin

Vulnerabilities (33)

  • CVE-2026-12143HigJun 12, 2026
    affected < 3.7.0-r0fixed 3.7.0-r0

    form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee

  • CVE-2026-44705HigJun 11, 2026
    affected < 3.6.0-r5fixed 3.6.0-r5

    tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal

  • CVE-2026-8723MedMay 17, 2026
    affected < 3.6.0-r4fixed 3.6.0-r4

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-4800HigMar 31, 2026
    affected < 3.5.0-r15fixed 3.5.0-r15

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a

  • CVE-2026-2950MedMar 31, 2026
    affected < 3.5.0-r15fixed 3.5.0-r15

    Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca

  • CVE-2026-33750MedMar 27, 2026
    affected < 3.5.0-r13fixed 3.5.0-r13

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process

  • CVE-2026-31938Mar 18, 2026
    affected < 3.5.0-r9fixed 3.5.0-r9

    jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be e

  • CVE-2026-31898Mar 18, 2026
    affected < 3.5.0-r9fixed 3.5.0-r9

    jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following meth

  • CVE-2026-0540Mar 3, 2026
    affected < 3.5.0-r6fixed 3.5.0-r6

    DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F

  • CVE-2026-25940Feb 19, 2026
    affected < 3.5.0-r1fixed 3.5.0-r1

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following pr

  • CVE-2026-25755Feb 19, 2026
    affected < 3.5.0-r1fixed 3.5.0-r1

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker ca

  • CVE-2026-25535Feb 19, 2026
    affected < 3.5.0-r1fixed 3.5.0-r1

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF

  • CVE-2026-2391Feb 12, 2026
    affected < 3.5.0-r1fixed 3.5.0-r1

    ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass

  • CVE-2026-24040Feb 2, 2026
    affected < 3.4.0-r2fixed 3.4.0-r2

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared

  • CVE-2026-24043Feb 2, 2026
    affected < 3.4.0-r2fixed 3.4.0-r2

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP me

  • CVE-2026-24133Feb 2, 2026
    affected < 3.4.0-r2fixed 3.4.0-r2

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file

  • CVE-2026-24737Feb 2, 2026
    affected < 3.4.0-r2fixed 3.4.0-r2

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following me

  • CVE-2025-13465MedJan 21, 2026
    affected < 3.4.0-r1fixed 3.4.0-r1

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin

  • CVE-2025-68428Jan 5, 2026
    affected < 3.4.0-r0fixed 3.4.0-r0

    jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user

  • CVE-2025-15284Dec 29, 2025
    affected < 3.5.0-r0fixed 3.5.0-r0

    Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLim

Page 1 of 2