apk package
chainguard/opensearch-dashboards-3-security-dashboards-plugin
pkg:apk/chainguard/opensearch-dashboards-3-security-dashboards-plugin
Vulnerabilities (36)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-12143 | Hig | 7.5 | < 3.7.0-r0 | 3.7.0-r0 | Jun 12, 2026 | form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee | |
| CVE-2026-44705 | Hig | 8.2 | < 3.6.0-r5 | 3.6.0-r5 | Jun 11, 2026 | tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal | |
| CVE-2026-48022 | — | < 3.7.0-r0 | 3.7.0-r0 | Jun 11, 2026 | ### Impact Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes | ||
| CVE-2026-44979 | — | < 3.7.0-r0 | 3.7.0-r0 | May 27, 2026 | ### Impact When `@hapi/wreck` follows a 3xx redirect to a different hostname, only the `Authorization` and `Cookie` headers are stripped. The standard credential header `Proxy-Authorization` is forwarded intact to the redirect target, potentially exposing forward-proxy credential | ||
| CVE-2026-8723 | Med | 5.3 | < 3.6.0-r4 | 3.6.0-r4 | May 17, 2026 | ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`). | |
| CVE-2026-42338 | Med | 6.1 | < 3.6.0-r3 | 3.6.0-r3 | May 12, 2026 | ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi | |
| CVE-2026-41324 | Hig | 7.5 | < 3.6.0-r0 | 3.6.0-r0 | Apr 24, 2026 | basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing | |
| CVE-2026-39983 | Hig | 8.6 | < 3.5.0-r15 | 3.5.0-r15 | Apr 9, 2026 | basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's pro | |
| CVE-2026-33750 | Med | 6.5 | < 3.5.0-r13 | 3.5.0-r13 | Mar 27, 2026 | The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process | |
| CVE-2026-31938 | — | < 3.5.0-r9 | 3.5.0-r9 | Mar 18, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be e | ||
| CVE-2026-31898 | — | < 3.5.0-r9 | 3.5.0-r9 | Mar 18, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following meth | ||
| CVE-2026-0540 | — | < 3.5.0-r6 | 3.5.0-r6 | Mar 3, 2026 | DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F | ||
| CVE-2026-27699 | — | < 3.5.0-r4 | 3.5.0-r4 | Feb 25, 2026 | The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause fil | ||
| CVE-2026-25940 | — | < 3.5.0-r1 | 3.5.0-r1 | Feb 19, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following pr | ||
| CVE-2026-25755 | — | < 3.5.0-r1 | 3.5.0-r1 | Feb 19, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker ca | ||
| CVE-2026-25535 | — | < 3.5.0-r1 | 3.5.0-r1 | Feb 19, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF | ||
| CVE-2026-2391 | — | < 3.5.0-r1 | 3.5.0-r1 | Feb 12, 2026 | ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass | ||
| CVE-2026-24040 | — | < 3.4.0-r2 | 3.4.0-r2 | Feb 2, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared | ||
| CVE-2026-24043 | — | < 3.4.0-r2 | 3.4.0-r2 | Feb 2, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP me | ||
| CVE-2026-24133 | — | < 3.4.0-r2 | 3.4.0-r2 | Feb 2, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file |
- affected < 3.7.0-r0fixed 3.7.0-r0
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee
- affected < 3.6.0-r5fixed 3.6.0-r5
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal
- CVE-2026-48022Jun 11, 2026affected < 3.7.0-r0fixed 3.7.0-r0
### Impact Wreck strips credential headers (Authorization, Cookie, Proxy-Authorization) before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port. As a result, credentials are forwarded intact across same-host port changes
- CVE-2026-44979May 27, 2026affected < 3.7.0-r0fixed 3.7.0-r0
### Impact When `@hapi/wreck` follows a 3xx redirect to a different hostname, only the `Authorization` and `Cookie` headers are stripped. The standard credential header `Proxy-Authorization` is forwarded intact to the redirect target, potentially exposing forward-proxy credential
- affected < 3.6.0-r4fixed 3.6.0-r4
### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).
- affected < 3.6.0-r3fixed 3.6.0-r3
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi
- affected < 3.6.0-r0fixed 3.6.0-r0
basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing
- affected < 3.5.0-r15fixed 3.5.0-r15
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's pro
- affected < 3.5.0-r13fixed 3.5.0-r13
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process
- CVE-2026-31938Mar 18, 2026affected < 3.5.0-r9fixed 3.5.0-r9
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be e
- CVE-2026-31898Mar 18, 2026affected < 3.5.0-r9fixed 3.5.0-r9
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following meth
- CVE-2026-0540Mar 3, 2026affected < 3.5.0-r6fixed 3.5.0-r6
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_F
- CVE-2026-27699Feb 25, 2026affected < 3.5.0-r4fixed 3.5.0-r4
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause fil
- CVE-2026-25940Feb 19, 2026affected < 3.5.0-r1fixed 3.5.0-r1
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following pr
- CVE-2026-25755Feb 19, 2026affected < 3.5.0-r1fixed 3.5.0-r1
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker ca
- CVE-2026-25535Feb 19, 2026affected < 3.5.0-r1fixed 3.5.0-r1
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF
- CVE-2026-2391Feb 12, 2026affected < 3.5.0-r1fixed 3.5.0-r1
### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass
- CVE-2026-24040Feb 2, 2026affected < 3.4.0-r2fixed 3.4.0-r2
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared
- CVE-2026-24043Feb 2, 2026affected < 3.4.0-r2fixed 3.4.0-r2
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP me
- CVE-2026-24133Feb 2, 2026affected < 3.4.0-r2fixed 3.4.0-r2
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file
Page 1 of 2