VYPR

apk package

chainguard/seaweedfs-fips

pkg:apk/chainguard/seaweedfs-fips

Vulnerabilities (43)

  • CVE-2026-46602Jun 27, 2026
    affected < 4.36-r3fixed 4.36-r3

    The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.

  • CVE-2026-46604Jun 27, 2026
    affected < 4.36-r3fixed 4.36-r3

    The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.

  • CVE-2026-46601modJun 25, 2026
    affected < 4.36-r3fixed 4.36-r3

    golang.org/x/image/webp: golang.org/x/image/webp: Denial of Service via malformed VP8 chunk in WebP images

  • CVE-2026-41178MedJun 4, 2026
    affected < 4.36-r1fixed 4.36-r1

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss

  • CVE-2026-42507MedJun 2, 2026
    affected < 4.31-r1fixed 4.31-r1

    When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

  • CVE-2026-42504HigJun 2, 2026
    affected < 0fixed 0

    Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

  • CVE-2026-27145MedJun 2, 2026
    affected < 4.31-r1fixed 4.31-r1

    (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic

  • CVE-2026-46599HigMay 29, 2026
    affected < 4.34-r1fixed 4.34-r1

    The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.

  • CVE-2026-42500MedMay 29, 2026
    affected < 4.34-r1fixed 4.34-r1

    Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.

  • CVE-2026-41889CriMay 8, 2026
    affected < 4.22-r0fixed 4.22-r0

    pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placehol

  • CVE-2026-42501HigMay 7, 2026
    affected < 4.23-r1fixed 4.23-r1

    A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser

  • CVE-2026-42499HigMay 7, 2026
    affected < 4.23-r1fixed 4.23-r1

    Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

  • CVE-2026-39836HigMay 7, 2026
    affected < 4.23-r1fixed 4.23-r1

    The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

  • CVE-2026-39826MedMay 7, 2026
    affected < 4.23-r1fixed 4.23-r1

    If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.

  • CVE-2026-39825MedMay 7, 2026
    affected < 4.23-r1fixed 4.23-r1

    ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa

  • CVE-2026-39823MedMay 7, 2026
    affected < 4.23-r1fixed 4.23-r1

    CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le

  • CVE-2026-39820HigMay 7, 2026
    affected < 4.23-r1fixed 4.23-r1

    Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

  • CVE-2026-39819MedMay 7, 2026
    affected < 4.23-r1fixed 4.23-r1

    The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

  • CVE-2026-39817MedMay 7, 2026
    affected < 4.23-r1fixed 4.23-r1

    The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

  • CVE-2026-33814HigMay 7, 2026
    affected < 4.23-r1fixed 4.23-r1

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Page 1 of 3