VYPR

apk package

chainguard/saf

pkg:apk/chainguard/saf

Vulnerabilities (72)

  • CVE-2026-11525lowJun 17, 2026
    affected < 1.6.0-r2fixed 1.6.0-r2

    undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

  • CVE-2026-6733lowJun 17, 2026
    affected < 1.6.0-r2fixed 1.6.0-r2

    undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.

  • CVE-2026-9679modJun 17, 2026
    affected < 1.6.0-r2fixed 1.6.0-r2

    undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

  • CVE-2026-12151impJun 17, 2026
    affected < 1.6.0-r2fixed 1.6.0-r2

    undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

  • CVE-2026-53655Jun 15, 2026
    affected < 1.6.0-r1fixed 1.6.0-r1

    ### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header (`

  • CVE-2026-53550Jun 15, 2026
    affected < 1.6.0-r1fixed 1.6.0-r1

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-12143HigJun 12, 2026
    affected < 1.6.0-r1fixed 1.6.0-r1

    form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee

  • CVE-2026-49982HigJun 11, 2026
    affected < 1.6.0-r1fixed 1.6.0-r1

    tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any obje

  • CVE-2026-44705HigJun 11, 2026
    affected < 1.6.0-r0fixed 1.6.0-r0

    tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal

  • CVE-2026-46625HigJun 10, 2026
    affected < 1.6.0-r0fixed 1.6.0-r0

    JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an o

  • CVE-2026-8723MedMay 17, 2026
    affected < 1.6.0-r0fixed 1.6.0-r0

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-42338MedMay 12, 2026
    affected < 1.6.0-r0fixed 1.6.0-r0

    ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi

  • CVE-2026-42264HigMay 8, 2026
    affected < 1.6.0-r0fixed 1.6.0-r0

    Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnPropert

  • CVE-2026-41650MedMay 7, 2026
    affected < 1.6.0-r0fixed 1.6.0-r0

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This

  • CVE-2026-41675HigMay 7, 2026
    affected < 1.6.0-r0fixed 1.6.0-r0

    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be seriali

  • CVE-2026-41674HigMay 7, 2026
    affected < 1.6.0-r0fixed 1.6.0-r0

    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, syste

  • CVE-2026-41673HigMay 7, 2026
    affected < 1.6.0-r0fixed 1.6.0-r0

    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A suffic

  • CVE-2026-41672HigMay 7, 2026
    affected < 1.6.0-r0fixed 1.6.0-r0

    xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML

  • CVE-2026-6322HigMay 5, 2026
    affected < 1.5.3-r1fixed 1.5.3-r1

    fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw

  • CVE-2026-6321HigMay 4, 2026
    affected < 1.5.3-r1fixed 1.5.3-r1

    fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize

Page 1 of 4