VYPR

apk package

chainguard/reflex

pkg:apk/chainguard/reflex

Vulnerabilities (28)

  • CVE-2026-45409MedJun 5, 2026
    affected < 0.9.3-r0fixed 0.9.3-r0

    Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize t

  • CVE-2026-42561HigMay 13, 2026
    affected < 0.9.3-r0fixed 0.9.3-r0

    Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the si

  • CVE-2026-44307HigMay 12, 2026
    affected < 0.9.3-r0fixed 0.9.3-r0

    Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads

  • CVE-2026-42545MedMay 12, 2026
    affected < 0.9.3-r0fixed 0.9.3-r0

    Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value const

  • CVE-2026-42544HigMay 12, 2026
    affected < 0.9.3-r0fixed 0.9.3-r0

    Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scop

  • CVE-2026-4539LowMar 22, 2026
    affected < 0.8.28-r2fixed 0.8.28-r2

    A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit

  • CVE-2026-24486Jan 27, 2026
    affected < 0.8.27-r0fixed 0.8.27-r0

    Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on th

  • CVE-2025-62727HigOct 28, 2025
    affected < 0.8.17-r0fixed 0.8.17-r0

    Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enabl

  • CVE-2025-61765MedOct 6, 2025
    affected < 0.8.14-r0fixed 0.8.14-r0

    python-socketio is a Python implementation of the Socket.IO realtime client and server. A remote code execution vulnerability in python-socketio versions prior to 5.14.0 allows attackers to execute arbitrary Python code through malicious pickle deserialization in multi-server dep

  • CVE-2025-8869MedSep 24, 2025
    affected < 0.8.14-r0fixed 0.8.14-r0

    When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by usi

  • CVE-2025-54121MedJul 21, 2025
    affected < 0.8.3-r0fixed 0.8.3-r0

    Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will bl

  • CVE-2025-50182Jun 19, 2025
    affected < 0.8.0-r0fixed 0.8.0-r0

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque

  • CVE-2024-47081MedJun 9, 2025
    affected < 0.8.5-r0fixed 0.8.5-r0

    Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc

  • CVE-2025-43859CriApr 24, 2025
    affected < 0.7.9-r0fixed 0.7.9-r0

    h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since explo

  • CVE-2025-27516Mar 5, 2025
    affected < 0.7.2-r0fixed 0.7.2-r0

    Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker nee

  • CVE-2024-12797MedFeb 11, 2025
    affected < 0.7.1-r0fixed 0.7.1-r0

    Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections u

  • CVE-2024-56326Dec 23, 2024
    affected < 0.6.7-r0fixed 0.6.7-r0

    Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs t

  • CVE-2024-56201Dec 23, 2024
    affected < 0.6.7-r0fixed 0.6.7-r0

    Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit

  • CVE-2024-53981HigDec 2, 2024
    affected < 0.6.7-r0fixed 0.6.7-r0

    python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time,

  • CVE-2024-47874HigOct 15, 2024
    affected < 0.6.4-r0fixed 0.6.4-r0

    Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload a

Page 1 of 2