VYPR

apk package

chainguard/superset-6.0

pkg:apk/chainguard/superset-6.0

Vulnerabilities (27)

  • CVE-2026-25990HigFeb 11, 2026
    affected < 6.0.0-r2fixed 6.0.0-r2

    Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.

  • CVE-2026-26007Feb 10, 2026
    affected < 6.0.0-r2fixed 6.0.0-r2

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke

  • CVE-2026-24049Jan 22, 2026
    affected < 6.0.0-r1fixed 6.0.0-r1

    wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil

  • CVE-2026-23949Jan 20, 2026
    affected < 6.0.0-r1fixed 6.0.0-r1

    jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta

  • CVE-2024-6866Mar 20, 2025
    affected < 6.0.0-r2fixed 6.0.0-r2

    corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but t

  • CVE-2024-6844Mar 20, 2025
    affected < 6.0.0-r2fixed 6.0.0-r2

    A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads

  • CVE-2024-6839Mar 20, 2025
    affected < 6.0.0-r2fixed 6.0.0-r2

    corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This misma

Page 2 of 2