VYPR

apk package

chainguard/prism

pkg:apk/chainguard/prism

Vulnerabilities (84)

  • CVE-2026-11525lowJun 17, 2026
    affected < 5.15.11-r3fixed 5.15.11-r3

    undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

  • CVE-2026-6733lowJun 17, 2026
    affected < 5.15.11-r3fixed 5.15.11-r3

    undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.

  • CVE-2026-9679modJun 17, 2026
    affected < 5.15.11-r3fixed 5.15.11-r3

    undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

  • CVE-2026-12151impJun 17, 2026
    affected < 5.15.11-r3fixed 5.15.11-r3

    undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

  • CVE-2026-53655Jun 15, 2026
    affected < 5.15.11-r3fixed 5.15.11-r3

    ### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header (`

  • CVE-2026-53550Jun 15, 2026
    affected < 5.15.11-r3fixed 5.15.11-r3

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-12143HigJun 12, 2026
    affected < 5.15.11-r3fixed 5.15.11-r3

    form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee

  • CVE-2026-49982HigJun 11, 2026
    affected < 5.15.11-r3fixed 5.15.11-r3

    tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any obje

  • CVE-2026-44705HigJun 11, 2026
    affected < 5.15.10-r2fixed 5.15.10-r2

    tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal

  • CVE-2026-44494HigJun 11, 2026
    affected < 5.15.11-r1fixed 5.15.11-r1

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-

  • CVE-2026-44492HigJun 11, 2026
    affected < 5.15.11-r1fixed 5.15.11-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:

  • CVE-2026-44490MedJun 11, 2026
    affected < 5.15.11-r1fixed 5.15.11-r1

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios sil

  • CVE-2026-44489LowJun 11, 2026
    affected < 5.15.11-r1fixed 5.15.11-r1

    Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209

  • CVE-2026-45149MedMay 29, 2026
    affected < 5.15.10-r1fixed 5.15.10-r1

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 mill

  • CVE-2026-8723MedMay 17, 2026
    affected < 5.15.10-r1fixed 5.15.10-r1

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-42338MedMay 12, 2026
    affected < 5.15.10-r0fixed 5.15.10-r0

    ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi

  • CVE-2026-42264HigMay 8, 2026
    affected < 5.15.10-r0fixed 5.15.10-r0

    Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnPropert

  • CVE-2026-41650MedMay 7, 2026
    affected < 5.15.10-r0fixed 5.15.10-r0

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This

  • CVE-2026-6322HigMay 5, 2026
    affected < 5.15.10-r1fixed 5.15.10-r1

    fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw

  • CVE-2026-6321HigMay 4, 2026
    affected < 5.15.10-r0fixed 5.15.10-r0

    fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize

Page 1 of 5