VYPR

apk package

chainguard/thingsboard-tb-node

pkg:apk/chainguard/thingsboard-tb-node

Vulnerabilities (133)

  • CVE-2026-42498HigMay 12, 2026
    affected < 4.3.1.2-r0fixed 4.3.1.2-r0

    Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, f

  • CVE-2026-41293CriMay 12, 2026
    affected < 4.3.1.2-r0fixed 4.3.1.2-r0

    Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users

  • CVE-2026-41284HigMay 12, 2026
    affected < 4.3.1.2-r0fixed 4.3.1.2-r0

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are reco

  • CVE-2026-41417MedMay 6, 2026
    affected < 4.3.1.1-r5fixed 4.3.1.1-r5

    Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no

  • CVE-2026-42440HigMay 4, 2026
    affected < 4.3.1.1-r7fixed 4.3.1.1-r7

    OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader  Versions Affected:  before 2.5.9 before 3.0.0-M3  Description: The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed inte

  • CVE-2026-42027CriMay 4, 2026
    affected < 4.3.1.1-r7fixed 4.3.1.1-r7

    Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description:  The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName(

  • CVE-2026-40682CriMay 4, 2026
    affected < 4.3.1.1-r7fixed 4.3.1.1-r7

    XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling F

  • CVE-2026-42198HigApr 29, 2026
    affected < 4.3.1.1-r3fixed 4.3.1.1-r3

    pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very larg

  • CVE-2026-22745MedApr 29, 2026
    affected < 4.3.1.1-r11fixed 4.3.1.1-r11

    Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is

  • CVE-2026-22741LowApr 29, 2026
    affected < 4.3.1.1-r11fixed 4.3.1.1-r11

    Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuri

  • CVE-2026-22740MedApr 29, 2026
    affected < 4.3.1.1-r11fixed 4.3.1.1-r11

    A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space. Older, unsuppo

  • CVE-2026-40973HigApr 28, 2026
    affected < 4.3.1.1-r11fixed 4.3.1.1-r11

    A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session

  • CVE-2026-22748MedApr 22, 2026
    affected < 4.3.1.1-r6fixed 4.3.1.1-r6

    Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder  or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.

  • CVE-2026-22746LowApr 22, 2026
    affected < 4.3.1.1-r11fixed 4.3.1.1-r11

    Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are

  • CVE-2026-22751MedApr 21, 2026
    affected < 4.3.1.1-r11fixed 4.3.1.1-r11

    Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 throu

  • CVE-2026-5598HigApr 15, 2026
    affected < 4.3.1.2-r0fixed 4.3.1.2-r0

    Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.

  • CVE-2026-5588MedApr 15, 2026
    affected < 4.3.1.2-r0fixed 4.3.1.2-r0

    Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modul

  • CVE-2026-0636MedApr 15, 2026
    affected < 4.3.1.2-r0fixed 4.3.1.2-r0

    Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from

  • CVE-2026-34500MedApr 9, 2026
    affected < 4.3.1.1-r11fixed 4.3.1.1-r11

    CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommend

  • CVE-2026-34487HigApr 9, 2026
    affected < 4.3.1.1-r11fixed 4.3.1.1-r11

    Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 thr

Page 3 of 7