VYPR

apk package

chainguard/request-1276

pkg:apk/chainguard/request-1276

Vulnerabilities (73)

  • CVE-2026-34516HigApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched

  • CVE-2026-34515HigApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.

  • CVE-2026-34514MedApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

  • CVE-2026-34513HigApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.

  • CVE-2026-22815HigApr 1, 2026
    affected < 0.27.1-r2fixed 0.27.1-r2

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.

  • CVE-2026-25645Mar 25, 2026
    affected < 0.27.1-r1fixed 0.27.1-r1

    Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid

  • CVE-2026-4539LowMar 22, 2026
    affected < 0.27.1-r1fixed 0.27.1-r1

    A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit

  • CVE-2026-30922HigMar 18, 2026
    affected < 0.27.0-r6fixed 0.27.0-r6

    pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousa

  • CVE-2026-27459Mar 17, 2026
    affected < 0.27.0-r6fixed 0.27.0-r6

    pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Sta

  • CVE-2026-27448Mar 17, 2026
    affected < 0.27.0-r6fixed 0.27.0-r6

    pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying

  • CVE-2026-32597HigMar 13, 2026
    affected < 0.27.0-r6fixed 0.27.0-r6

    PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token i

  • CVE-2026-26007Feb 10, 2026
    affected < 0.27.0-r5fixed 0.27.0-r5

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke

  • CVE-2026-1703LowFeb 2, 2026
    affected < 0.27.1-r1fixed 0.27.1-r1

    When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat

  • CVE-2026-0994HigJan 23, 2026
    affected < 0.27.0-r5fixed 0.27.0-r5

    A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l

  • CVE-2025-71176MedJan 22, 2026
    affected < 0.28.0-r0fixed 0.28.0-r0

    pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.

  • CVE-2026-24049Jan 22, 2026
    affected < 0.27.1-r1fixed 0.27.1-r1

    wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil

  • CVE-2026-23949Jan 20, 2026
    affected < 0.27.0-r4fixed 0.27.0-r4

    jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta

  • CVE-2026-23490Jan 16, 2026
    affected < 0.27.0-r3fixed 0.27.0-r3

    pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

  • CVE-2026-21226Jan 13, 2026
    affected < 0.27.0-r3fixed 0.27.0-r3

    Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.

  • CVE-2026-22702Jan 10, 2026
    affected < 0.27.0-r4fixed 0.27.0-r4

    virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local acces