VYPR

apk package

chainguard/pelias-api

pkg:apk/chainguard/pelias-api

Vulnerabilities (30)

  • CVE-2026-11525lowJun 17, 2026
    affected < 7.8.0-r4fixed 7.8.0-r4

    undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

  • CVE-2026-6733lowJun 17, 2026
    affected < 7.8.0-r4fixed 7.8.0-r4

    undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.

  • CVE-2026-9678modJun 17, 2026
    affected < 7.8.0-r4fixed 7.8.0-r4

    undici: Undici: Information disclosure due to improper cache-control header parsing

  • CVE-2026-9679modJun 17, 2026
    affected < 7.8.0-r4fixed 7.8.0-r4

    undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

  • CVE-2026-9697impJun 17, 2026
    affected < 7.8.0-r4fixed 7.8.0-r4

    undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy

  • CVE-2026-6734impJun 17, 2026
    affected < 7.8.0-r4fixed 7.8.0-r4

    undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing

  • CVE-2026-12151impJun 17, 2026
    affected < 7.8.0-r4fixed 7.8.0-r4

    undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

  • CVE-2026-53550Jun 15, 2026
    affected < 7.8.0-r5fixed 7.8.0-r5

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-12143HigJun 12, 2026
    affected < 7.8.0-r4fixed 7.8.0-r4

    form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee

  • CVE-2026-8723MedMay 17, 2026
    affected < 7.8.0-r3fixed 7.8.0-r3

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-41305MedApr 24, 2026
    affected < 7.8.0-r0fixed 7.8.0-r0

    PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for em

  • CVE-2026-4800HigMar 31, 2026
    affected < 7.6.0-r6fixed 7.6.0-r6

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a

  • CVE-2026-2950MedMar 31, 2026
    affected < 7.6.0-r6fixed 7.6.0-r6

    Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca

  • CVE-2026-33941HigMar 27, 2026
    affected < 7.6.0-r5fixed 7.6.0-r5

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly i

  • CVE-2026-33940HigMar 27, 2026
    affected < 7.6.0-r5fixed 7.6.0-r5

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebar

  • CVE-2026-33939HigMar 27, 2026
    affected < 7.6.0-r5fixed 7.6.0-r5

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")

  • CVE-2026-33938HigMar 27, 2026
    affected < 7.6.0-r5fixed 7.6.0-r5

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objec

  • CVE-2026-33937CriMar 27, 2026
    affected < 7.6.0-r5fixed 7.6.0-r5

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the ge

  • CVE-2026-33916MedMar 27, 2026
    affected < 7.6.0-r5fixed 7.6.0-r5

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal

  • CVE-2026-33750MedMar 27, 2026
    affected < 7.6.0-r5fixed 7.6.0-r5

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process

Page 1 of 2