VYPR

apk package

chainguard/opensearch-dashboards-3-fips-security-dashboards-plugin

pkg:apk/chainguard/opensearch-dashboards-3-fips-security-dashboards-plugin

Vulnerabilities (36)

  • CVE-2026-12143HigJun 12, 2026
    affected < 3.7.0-r0fixed 3.7.0-r0

    form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee

  • CVE-2026-44705HigJun 11, 2026
    affected < 3.6.0-r7fixed 3.6.0-r7

    tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal

  • CVE-2026-48022Jun 11, 2026
    affected < 3.7.0-r0fixed 3.7.0-r0

    ### Impact Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes

  • CVE-2026-44979May 27, 2026
    affected < 3.7.0-r0fixed 3.7.0-r0

    ### Impact When `@hapi/wreck` follows a 3xx redirect to a different hostname, only the `Authorization` and `Cookie` headers are stripped. The standard credential header `Proxy-Authorization` is forwarded intact to the redirect target, potentially exposing forward-proxy credential

  • CVE-2026-8723MedMay 17, 2026
    affected < 3.6.0-r6fixed 3.6.0-r6

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-42338MedMay 12, 2026
    affected < 3.6.0-r5fixed 3.6.0-r5

    ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi

  • CVE-2026-41324HigApr 24, 2026
    affected < 3.6.0-r0fixed 3.6.0-r0

    basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing

  • CVE-2026-39983HigApr 9, 2026
    affected < 3.5.0-r10fixed 3.5.0-r10

    basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's pro

  • CVE-2026-33750MedMar 27, 2026
    affected < 3.5.0-r7fixed 3.5.0-r7

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process

  • CVE-2026-31938Mar 18, 2026
    affected < 3.5.0-r6fixed 3.5.0-r6

    jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be e

  • CVE-2026-31898Mar 18, 2026
    affected < 3.5.0-r6fixed 3.5.0-r6

    jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following meth

  • CVE-2026-31802Mar 9, 2026
    affected < 3.5.0-r4fixed 3.5.0-r4

    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd dur

  • CVE-2026-0540Mar 3, 2026
    affected < 3.5.0-r4fixed 3.5.0-r4

    DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F

  • CVE-2026-27699Feb 25, 2026
    affected < 3.5.0-r2fixed 3.5.0-r2

    The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause fil

  • CVE-2026-25940Feb 19, 2026
    affected < 3.5.0-r1fixed 3.5.0-r1

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following pr

  • CVE-2026-25755Feb 19, 2026
    affected < 3.5.0-r1fixed 3.5.0-r1

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker ca

  • CVE-2026-25535Feb 19, 2026
    affected < 3.5.0-r1fixed 3.5.0-r1

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF

  • CVE-2026-2391Feb 12, 2026
    affected < 3.5.0-r1fixed 3.5.0-r1

    ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass

  • CVE-2026-24040Feb 2, 2026
    affected < 3.4.0-r3fixed 3.4.0-r3

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared

  • CVE-2026-24043Feb 2, 2026
    affected < 3.4.0-r3fixed 3.4.0-r3

    jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP me

Page 1 of 2