apk package
chainguard/seaweedfs-fips
pkg:apk/chainguard/seaweedfs-fips
Vulnerabilities (43)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-46602 | — | < 4.36-r3 | 4.36-r3 | Jun 27, 2026 | The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption. | ||
| CVE-2026-46604 | — | < 4.36-r3 | 4.36-r3 | Jun 27, 2026 | The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset. | ||
| CVE-2026-46601 | mod | 6.5 | < 4.36-r3 | 4.36-r3 | Jun 25, 2026 | golang.org/x/image/webp: golang.org/x/image/webp: Denial of Service via malformed VP8 chunk in WebP images | |
| CVE-2026-41178 | Med | 5.3 | < 4.36-r1 | 4.36-r1 | Jun 4, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss | |
| CVE-2026-42507 | Med | 5.3 | < 4.31-r1 | 4.31-r1 | Jun 2, 2026 | When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged. | |
| CVE-2026-42504 | Hig | 7.5 | < 0 | 0 | Jun 2, 2026 | Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. | |
| CVE-2026-27145 | Med | 6.5 | < 4.31-r1 | 4.31-r1 | Jun 2, 2026 | (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic | |
| CVE-2026-46599 | Hig | 7.5 | < 4.34-r1 | 4.34-r1 | May 29, 2026 | The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data. | |
| CVE-2026-42500 | Med | 5.3 | < 4.34-r1 | 4.34-r1 | May 29, 2026 | Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image. | |
| CVE-2026-41889 | Cri | 9.8 | < 4.22-r0 | 4.22-r0 | May 8, 2026 | pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placehol | |
| CVE-2026-42501 | Hig | 7.5 | < 4.23-r1 | 4.23-r1 | May 7, 2026 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser | |
| CVE-2026-42499 | Hig | 7.5 | < 4.23-r1 | 4.23-r1 | May 7, 2026 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | |
| CVE-2026-39836 | Hig | 7.5 | < 4.23-r1 | 4.23-r1 | May 7, 2026 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | |
| CVE-2026-39826 | Med | 6.1 | < 4.23-r1 | 4.23-r1 | May 7, 2026 | If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block. | |
| CVE-2026-39825 | Med | 5.3 | < 4.23-r1 | 4.23-r1 | May 7, 2026 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa | |
| CVE-2026-39823 | Med | 6.1 | < 4.23-r1 | 4.23-r1 | May 7, 2026 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le | |
| CVE-2026-39820 | Hig | 7.5 | < 4.23-r1 | 4.23-r1 | May 7, 2026 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. | |
| CVE-2026-39819 | Med | 5.3 | < 4.23-r1 | 4.23-r1 | May 7, 2026 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink. | |
| CVE-2026-39817 | Med | 5.9 | < 4.23-r1 | 4.23-r1 | May 7, 2026 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem. | |
| CVE-2026-33814 | Hig | 7.5 | < 4.23-r1 | 4.23-r1 | May 7, 2026 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. |
- CVE-2026-46602Jun 27, 2026affected < 4.36-r3fixed 4.36-r3
The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.
- CVE-2026-46604Jun 27, 2026affected < 4.36-r3fixed 4.36-r3
The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.
- affected < 4.36-r3fixed 4.36-r3
golang.org/x/image/webp: golang.org/x/image/webp: Denial of Service via malformed VP8 chunk in WebP images
- affected < 4.36-r1fixed 4.36-r1
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss
- affected < 4.31-r1fixed 4.31-r1
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
- affected < 0fixed 0
Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
- affected < 4.31-r1fixed 4.31-r1
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic
- affected < 4.34-r1fixed 4.34-r1
The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.
- affected < 4.34-r1fixed 4.34-r1
Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.
- affected < 4.22-r0fixed 4.22-r0
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placehol
- affected < 4.23-r1fixed 4.23-r1
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
- affected < 4.23-r1fixed 4.23-r1
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
- affected < 4.23-r1fixed 4.23-r1
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
- affected < 4.23-r1fixed 4.23-r1
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
- affected < 4.23-r1fixed 4.23-r1
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
- affected < 4.23-r1fixed 4.23-r1
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le
- affected < 4.23-r1fixed 4.23-r1
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
- affected < 4.23-r1fixed 4.23-r1
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
- affected < 4.23-r1fixed 4.23-r1
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
- affected < 4.23-r1fixed 4.23-r1
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Page 1 of 3