apk package
chainguard/pelias-api
pkg:apk/chainguard/pelias-api
Vulnerabilities (30)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-11525 | low | 3.7 | < 7.8.0-r4 | 7.8.0-r4 | Jun 17, 2026 | undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header | |
| CVE-2026-6733 | low | 3.7 | < 7.8.0-r4 | 7.8.0-r4 | Jun 17, 2026 | undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery. | |
| CVE-2026-9678 | mod | 5.9 | < 7.8.0-r4 | 7.8.0-r4 | Jun 17, 2026 | undici: Undici: Information disclosure due to improper cache-control header parsing | |
| CVE-2026-9679 | mod | 5.9 | < 7.8.0-r4 | 7.8.0-r4 | Jun 17, 2026 | undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding | |
| CVE-2026-9697 | imp | 7.4 | < 7.8.0-r4 | 7.8.0-r4 | Jun 17, 2026 | undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy | |
| CVE-2026-6734 | imp | 7.5 | < 7.8.0-r4 | 7.8.0-r4 | Jun 17, 2026 | undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing | |
| CVE-2026-12151 | imp | 7.5 | < 7.8.0-r4 | 7.8.0-r4 | Jun 17, 2026 | undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames | |
| CVE-2026-53550 | — | < 7.8.0-r5 | 7.8.0-r5 | Jun 15, 2026 | ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event | ||
| CVE-2026-12143 | Hig | 7.5 | < 7.8.0-r4 | 7.8.0-r4 | Jun 12, 2026 | form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee | |
| CVE-2026-8723 | Med | 5.3 | < 7.8.0-r3 | 7.8.0-r3 | May 17, 2026 | ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`). | |
| CVE-2026-41305 | Med | 6.1 | < 7.8.0-r0 | 7.8.0-r0 | Apr 24, 2026 | PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for em | |
| CVE-2026-4800 | Hig | 8.1 | < 7.6.0-r6 | 7.6.0-r6 | Mar 31, 2026 | Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a | |
| CVE-2026-2950 | Med | 6.5 | < 7.6.0-r6 | 7.6.0-r6 | Mar 31, 2026 | Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca | |
| CVE-2026-33941 | Hig | 8.2 | < 7.6.0-r5 | 7.6.0-r5 | Mar 27, 2026 | Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly i | |
| CVE-2026-33940 | Hig | 8.1 | < 7.6.0-r5 | 7.6.0-r5 | Mar 27, 2026 | Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebar | |
| CVE-2026-33939 | Hig | 7.5 | < 7.6.0-r5 | 7.6.0-r5 | Mar 27, 2026 | Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n") | |
| CVE-2026-33938 | Hig | 8.1 | < 7.6.0-r5 | 7.6.0-r5 | Mar 27, 2026 | Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objec | |
| CVE-2026-33937 | Cri | 9.8 | < 7.6.0-r5 | 7.6.0-r5 | Mar 27, 2026 | Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the ge | |
| CVE-2026-33916 | Med | 4.7 | < 7.6.0-r5 | 7.6.0-r5 | Mar 27, 2026 | Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal | |
| CVE-2026-33750 | Med | 6.5 | < 7.6.0-r5 | 7.6.0-r5 | Mar 27, 2026 | The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process |
- affected < 7.8.0-r4fixed 7.8.0-r4
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
- affected < 7.8.0-r4fixed 7.8.0-r4
undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
- affected < 7.8.0-r4fixed 7.8.0-r4
undici: Undici: Information disclosure due to improper cache-control header parsing
- affected < 7.8.0-r4fixed 7.8.0-r4
undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
- affected < 7.8.0-r4fixed 7.8.0-r4
undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy
- affected < 7.8.0-r4fixed 7.8.0-r4
undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing
- affected < 7.8.0-r4fixed 7.8.0-r4
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
- CVE-2026-53550Jun 15, 2026affected < 7.8.0-r5fixed 7.8.0-r5
### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event
- affected < 7.8.0-r4fixed 7.8.0-r4
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee
- affected < 7.8.0-r3fixed 7.8.0-r3
### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).
- affected < 7.8.0-r0fixed 7.8.0-r0
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for em
- affected < 7.6.0-r6fixed 7.6.0-r6
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a
- affected < 7.6.0-r6fixed 7.6.0-r6
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca
- affected < 7.6.0-r5fixed 7.6.0-r5
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly i
- affected < 7.6.0-r5fixed 7.6.0-r5
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebar
- affected < 7.6.0-r5fixed 7.6.0-r5
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")
- affected < 7.6.0-r5fixed 7.6.0-r5
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objec
- affected < 7.6.0-r5fixed 7.6.0-r5
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the ge
- affected < 7.6.0-r5fixed 7.6.0-r5
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal
- affected < 7.6.0-r5fixed 7.6.0-r5
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process
Page 1 of 2