VYPR

apk package

chainguard/tileserver-gl-fips

pkg:apk/chainguard/tileserver-gl-fips

Vulnerabilities (62)

  • CVE-2026-53655Jun 15, 2026
    affected < 5.6.0-r6fixed 5.6.0-r6

    ### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header (`

  • CVE-2026-53550Jun 15, 2026
    affected < 5.6.0-r7fixed 5.6.0-r7

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-12143HigJun 12, 2026
    affected < 5.6.0-r5fixed 5.6.0-r5

    form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee

  • CVE-2026-45149MedMay 29, 2026
    affected < 5.6.0-r3fixed 5.6.0-r3

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 mill

  • CVE-2026-9277HigMay 22, 2026
    affected < 5.6.0-r4fixed 5.6.0-r4

    shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line te

  • CVE-2026-8723MedMay 17, 2026
    affected < 5.6.0-r3fixed 5.6.0-r3

    ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).

  • CVE-2026-42338MedMay 12, 2026
    affected < 5.6.0-r2fixed 5.6.0-r2

    ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi

  • CVE-2026-41650MedMay 7, 2026
    affected < 5.6.0-r2fixed 5.6.0-r2

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This

  • CVE-2026-6322HigMay 5, 2026
    affected < 5.6.0-r3fixed 5.6.0-r3

    fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw

  • CVE-2026-6321HigMay 4, 2026
    affected < 5.6.0-r3fixed 5.6.0-r3

    fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize

  • CVE-2026-5758MedApr 15, 2026
    affected < 5.6.0-r1fixed 5.6.0-r1

    JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution.

  • CVE-2026-34043MedMar 31, 2026
    affected < 5.5.0-r12fixed 5.5.0-r12

    Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Ar

  • CVE-2026-33941HigMar 27, 2026
    affected < 5.5.0-r11fixed 5.5.0-r11

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly i

  • CVE-2026-33940HigMar 27, 2026
    affected < 5.5.0-r11fixed 5.5.0-r11

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebar

  • CVE-2026-33939HigMar 27, 2026
    affected < 5.5.0-r11fixed 5.5.0-r11

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")

  • CVE-2026-33938HigMar 27, 2026
    affected < 5.5.0-r11fixed 5.5.0-r11

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objec

  • CVE-2026-33937CriMar 27, 2026
    affected < 5.5.0-r11fixed 5.5.0-r11

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the ge

  • CVE-2026-33916MedMar 27, 2026
    affected < 5.5.0-r11fixed 5.5.0-r11

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal

  • CVE-2026-33750MedMar 27, 2026
    affected < 5.5.0-r11fixed 5.5.0-r11

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process

  • CVE-2026-33672MedMar 26, 2026
    affected < 5.5.0-r11fixed 5.5.0-r11

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions

Page 1 of 4