VYPR

apk package

chainguard/py3.10-vllm-cuda-12.9

pkg:apk/chainguard/py3.10-vllm-cuda-12.9

Vulnerabilities (13)

  • CVE-2026-48746criJun 16, 2026
    affected < 0.19.1-r1fixed 0.19.1-r1

    ### Summary A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API `AuthenticationMiddleware`, which was discovered during @x41sec's source code audit. It allows to use the API without providing the confi

  • CVE-2026-54274Jun 15, 2026
    affected < 0.19.1-r0fixed 0.19.1-r0

    ### Summary If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. ### Impact If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive m

  • CVE-2026-54275lowJun 15, 2026
    affected < 0.19.1-r0fixed 0.19.1-r0

    ### Summary The `server_hostname` TLS SNI check can be bypassed when an existing connection is reused. ### Impact If an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by reus

  • CVE-2026-54280lowJun 15, 2026
    affected < 0.19.1-r0fixed 0.19.1-r0

    ### Summary Payload resources are not closed correctly when a client disconnects in the middle of a write. ### Impact If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection

  • CVE-2026-54273Jun 15, 2026
    affected < 0.19.1-r0fixed 0.19.1-r0

    ### Summary No limit was present on the number of pipelined requests that could be queued. ### Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dfd

  • CVE-2026-54278Jun 15, 2026
    affected < 0.19.1-r0fixed 0.19.1-r0

    ### Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. ### Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip

  • CVE-2026-54277Jun 15, 2026
    affected < 0.19.1-r0fixed 0.19.1-r0

    ### Summary It is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. ### Impact If using the optimised C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an exces

  • CVE-2026-54276Jun 15, 2026
    affected < 0.19.1-r0fixed 0.19.1-r0

    ### Summary ``DigestAuthMiddleware`` can send an authentication response after following a cross-origin redirect. ### Impact If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest. This likel

  • CVE-2026-54279lowJun 15, 2026
    affected < 0.19.1-r0fixed 0.19.1-r0

    ### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disall

  • CVE-2026-50269lowJun 15, 2026
    affected < 0.19.1-r0fixed 0.19.1-r0

    ### Summary Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. ### Impact In the unlikely situation that an application is passing user-controlled strings into `MultipartWriter.append(heade

  • CVE-2026-47265HigJun 2, 2026
    affected < 0.19.1-r0fixed 0.19.1-r0

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then

  • CVE-2026-34993MedJun 2, 2026
    affected < 0.19.1-r0fixed 0.19.1-r0

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is

  • CVE-2026-7141MedApr 27, 2026
    affected < 0.19.1-r0fixed 0.19.1-r0

    A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v1/kv_cache_interface.py of the component KV Block Handler. Performing a manipulation results in uninitialized resource. It is possible to initiate the attack re