VYPR

apk package

chainguard/rclone-fips

pkg:apk/chainguard/rclone-fips

Vulnerabilities (47)

  • CVE-2026-46602Jun 27, 2026
    affected < 1.74.3-r2fixed 1.74.3-r2

    The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.

  • CVE-2026-46604Jun 27, 2026
    affected < 1.74.3-r2fixed 1.74.3-r2

    The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.

  • CVE-2026-46601modJun 25, 2026
    affected < 1.74.3-r2fixed 1.74.3-r2

    golang.org/x/image/webp: golang.org/x/image/webp: Denial of Service via malformed VP8 chunk in WebP images

  • CVE-2026-41178MedJun 4, 2026
    affected < 1.74.3-r3fixed 1.74.3-r3

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss

  • CVE-2026-44740MedJun 1, 2026
    affected < 1.74.1-r2fixed 1.74.1-r2

    Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise

  • CVE-2026-44973HigMay 28, 2026
    affected < 1.74.1-r2fixed 1.74.1-r2

    Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories.

  • CVE-2026-42501HigMay 7, 2026
    affected < 1.74.1-r0fixed 1.74.1-r0

    A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser

  • CVE-2026-42499HigMay 7, 2026
    affected < 1.74.1-r0fixed 1.74.1-r0

    Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

  • CVE-2026-39836HigMay 7, 2026
    affected < 1.74.1-r0fixed 1.74.1-r0

    The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

  • CVE-2026-39826MedMay 7, 2026
    affected < 1.74.1-r0fixed 1.74.1-r0

    If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.

  • CVE-2026-39825MedMay 7, 2026
    affected < 1.74.1-r0fixed 1.74.1-r0

    ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa

  • CVE-2026-39823MedMay 7, 2026
    affected < 1.74.1-r0fixed 1.74.1-r0

    CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le

  • CVE-2026-39820HigMay 7, 2026
    affected < 1.74.1-r0fixed 1.74.1-r0

    Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

  • CVE-2026-39819MedMay 7, 2026
    affected < 1.74.1-r0fixed 1.74.1-r0

    The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

  • CVE-2026-39817MedMay 7, 2026
    affected < 1.74.1-r0fixed 1.74.1-r0

    The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

  • CVE-2026-33814HigMay 7, 2026
    affected < 1.74.1-r0fixed 1.74.1-r0

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-33811HigMay 7, 2026
    affected < 1.74.1-r0fixed 1.74.1-r0

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2026-32952MedApr 24, 2026
    affected < 1.73.5-r1fixed 1.73.5-r1

    go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc

  • CVE-2026-33813HigApr 21, 2026
    affected < 1.74.3-r1fixed 1.74.3-r1

    Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.

  • CVE-2026-32289MedApr 8, 2026
    affected < 1.74.2-r2fixed 1.74.2-r2

    Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect es

Page 1 of 3