VYPR

apk package

chainguard/teleport-18.6

pkg:apk/chainguard/teleport-18.6

Vulnerabilities (65)

  • CVE-2026-32952MedApr 24, 2026
    affected < 18.6.8-r21fixed 18.6.8-r21

    go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc

  • CVE-2026-35469HigApr 16, 2026
    affected < 18.6.8-r12fixed 18.6.8-r12

    spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count,

  • CVE-2026-39984MedApr 15, 2026
    affected < 18.6.8-r29fixed 18.6.8-r29

    Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse correctly verifies the certificate chain signature, but the TSA-speci

  • CVE-2026-39883HigApr 8, 2026
    affected < 18.6.8-r10fixed 18.6.8-r10

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-39882MedApr 8, 2026
    affected < 18.6.8-r14fixed 18.6.8-r14

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e

  • CVE-2026-33816CriApr 7, 2026
    affected < 0fixed 0

    Memory-safety vulnerability in github.com/jackc/pgx/v5.

  • CVE-2026-33815CriApr 7, 2026
    affected < 18.6.8-r22fixed 18.6.8-r22

    Memory-safety vulnerability in github.com/jackc/pgx/v5.

  • CVE-2026-34986HigApr 6, 2026
    affected < 18.6.8-r9fixed 18.6.8-r9

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-34165MedMar 31, 2026
    affected < 18.6.8-r9fixed 18.6.8-r9

    go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re

  • CVE-2026-33762LowMar 31, 2026
    affected < 18.6.8-r9fixed 18.6.8-r9

    go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t

  • CVE-2026-32286HigMar 26, 2026
    affected < 0fixed 0

    The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

  • CVE-2026-32285HigMar 26, 2026
    affected < 18.6.8-r7fixed 18.6.8-r7

    The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

  • CVE-2026-33487HigMar 26, 2026
    affected < 18.6.8-r6fixed 18.6.8-r6

    goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo

  • CVE-2026-33186CriMar 20, 2026
    affected < 18.6.8-r5fixed 18.6.8-r5

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2025-15558Mar 4, 2026
    affected < 18.6.8-r3fixed 18.6.8-r3

    Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are

  • CVE-2026-2303MedFeb 10, 2026
    affected < 18.6.8-r25fixed 18.6.8-r25

    The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI b

  • CVE-2026-25934Feb 9, 2026
    affected < 18.6.8-r4fixed 18.6.8-r4

    go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files,

  • CVE-2026-24051HigFeb 2, 2026
    affected < 18.6.8-r2fixed 18.6.8-r2

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman

  • CVE-2026-24686Jan 27, 2026
    affected < 18.6.8-r9fixed 18.6.8-r9

    go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.

  • CVE-2026-24137MedJan 23, 2026
    affected < 0fixed 0

    sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target na