VYPR

apk package

chainguard/thingsboard-tb-js-executor-fips

pkg:apk/chainguard/thingsboard-tb-js-executor-fips

Vulnerabilities (5)

  • CVE-2026-53550Jun 15, 2026
    affected < 4.3.1.2-r1fixed 4.3.1.2-r1

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-8723MedMay 17, 2026
    affected < 4.3.1.1-r2fixed 4.3.1.1-r2

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-41650MedMay 7, 2026
    affected < 4.3.1.2-r2fixed 4.3.1.2-r2

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This

  • CVE-2026-4867HigMar 26, 2026
    affected < 4.3.1.1-r0fixed 4.3.1.1-r0

    Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambigu

  • CVE-2026-2391Feb 12, 2026
    affected < 4.3.0.1-r1fixed 4.3.0.1-r1

    ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass