VYPR

apk package

chainguard/py3.12-prefect-fips

pkg:apk/chainguard/py3.12-prefect-fips

Vulnerabilities (8)

  • CVE-2026-54283higJun 15, 2026
    affected < 3.7.5-r0fixed 3.7.5-r0

    ### Summary `request.form()` accepts `max_fields` and `max_part_size` to bound resource consumption while parsing form data. These limits are enforced for `multipart/form-data`, but silently ignored for `application/x-www-form-urlencoded`. An unauthenticated attacker can therefor

  • CVE-2026-54282lowJun 15, 2026
    affected < 3.7.5-r0fixed 3.7.5-r0

    ### Summary In affected versions, the HTTP request path is not validated before being used to reconstruct `request.url`. Because `request.url` is rebuilt by concatenating `{scheme}://{host}{path}` and re-parsing the result, a path that does not begin with `/` (for example `@goog

  • CVE-2026-44432HigMay 13, 2026
    affected < 3.7.0-r1fixed 3.7.0-r1

    urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w

  • CVE-2026-44431MedMay 13, 2026
    affected < 3.7.0-r1fixed 3.7.0-r1

    urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

  • CVE-2026-41205HigApr 23, 2026
    affected < 3.6.27-r0fixed 3.6.27-r0

    Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable

  • CVE-2026-34444CriApr 6, 2026
    affected < 3.7.3-r0fixed 3.7.3-r0

    Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventual

  • CVE-2026-25645Mar 25, 2026
    affected < 3.6.23-r0fixed 3.6.23-r0

    Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid

  • CVE-2026-4539LowMar 22, 2026
    affected < 3.6.24-r0fixed 3.6.24-r0

    A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit