apk package
chainguard/wazuh-dashboard
pkg:apk/chainguard/wazuh-dashboard
Vulnerabilities (71)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-54288 | — | < 4.14.5-r6 | 4.14.5-r6 | Jun 16, 2026 | ### Summary The Body Limit Middleware trusts the request's `Content-Length` header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the | ||
| CVE-2026-54289 | — | < 4.14.5-r6 | 4.14.5-r6 | Jun 16, 2026 | ### Summary On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with `Headers.set` instead of `Headers.append`, so every value overwrites the previous one and only the last reaches the ap | ||
| CVE-2026-54290 | hig | — | < 4.14.5-r6 | 4.14.5-r6 | Jun 16, 2026 | ### Summary With `credentials: true` and no explicit `origin` (the default wildcard), the CORS Middleware reflects the request's `Origin` and sends `Access-Control-Allow-Credentials: true`. Any site can then make credentialed cross-origin requests and read the responses, exposin | |
| CVE-2026-54286 | — | < 4.14.5-r6 | 4.14.5-r6 | Jun 16, 2026 | ### Summary On Windows hosts, an encoded backslash (`%5C`) in the request path decodes to `\`, which the Windows path resolver treats as a separator. `serve-static` then resolves a single URL segment such as `admin\secret.txt` into a nested file under the root and serves it, let | ||
| CVE-2026-54287 | — | < 4.14.5-r6 | 4.14.5-r6 | Jun 16, 2026 | ### Summary On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple `Set-Cookie` headers into one comma-separated value. Because commas also appear inside cookie attributes (for example `Expires` dates), clients cannot split the value back int | ||
| CVE-2026-49978 | — | < 4.14.5-r7 | 4.14.5-r7 | Jun 15, 2026 | If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript: | ||
| CVE-2026-49458 | — | < 4.14.5-r7 | 4.14.5-r7 | Jun 15, 2026 | # Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — realm-bound `instanceof` checks fail-open on fo | ||
| CVE-2026-49459 | — | < 4.14.5-r7 | 4.14.5-r7 | Jun 15, 2026 | # IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — silent no-op when `_forceRemove` is cal | ||
| CVE-2026-53655 | — | < 4.14.5-r7 | 4.14.5-r7 | Jun 15, 2026 | ### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header (` | ||
| CVE-2026-53550 | — | < 4.14.5-r8 | 4.14.5-r8 | Jun 15, 2026 | ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event | ||
| CVE-2026-44496 | Hig | 7.5 | < 4.14.5-r5 | 4.14.5-r5 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments | |
| CVE-2026-44495 | Hig | 7.0 | < 4.14.5-r5 | 4.14.5-r5 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transf | |
| CVE-2026-44494 | Hig | 8.7 | < 4.14.5-r5 | 4.14.5-r5 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man- | |
| CVE-2026-44492 | Hig | 8.6 | < 4.14.5-r5 | 4.14.5-r5 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00: | |
| CVE-2026-44490 | Med | 4.8 | < 4.14.5-r5 | 4.14.5-r5 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios sil | |
| CVE-2026-44488 | Hig | 7.5 | < 4.14.5-r5 | 4.14.5-r5 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments wh | |
| CVE-2026-44487 | Hig | 7.5 | < 4.14.5-r5 | 4.14.5-r5 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial | |
| CVE-2026-44486 | Hig | 7.5 | < 4.14.5-r5 | 4.14.5-r5 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorizati | |
| CVE-2026-46625 | Hig | 7.5 | < 4.14.5-r1 | 4.14.5-r1 | Jun 10, 2026 | JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an o | |
| CVE-2026-44974 | hig | — | < 4.14.5-r3 | 4.14.5-r3 | May 27, 2026 | ### Impact The two parsers resolved duplicates inconsistently and silently: - `Content.disposition()` retained the last occurrence of each parameter. - `Content.type()` retained the first occurrence of charset and boundary. Either behavior creates a parameter-smuggling primitive |
- CVE-2026-54288Jun 16, 2026affected < 4.14.5-r6fixed 4.14.5-r6
### Summary The Body Limit Middleware trusts the request's `Content-Length` header to decide whether a body is within the limit. On AWS Lambda (API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge) the body is delivered fully buffered and the adapter builds the request with the
- CVE-2026-54289Jun 16, 2026affected < 4.14.5-r6fixed 4.14.5-r6
### Summary On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with `Headers.set` instead of `Headers.append`, so every value overwrites the previous one and only the last reaches the ap
- affected < 4.14.5-r6fixed 4.14.5-r6
### Summary With `credentials: true` and no explicit `origin` (the default wildcard), the CORS Middleware reflects the request's `Origin` and sends `Access-Control-Allow-Credentials: true`. Any site can then make credentialed cross-origin requests and read the responses, exposin
- CVE-2026-54286Jun 16, 2026affected < 4.14.5-r6fixed 4.14.5-r6
### Summary On Windows hosts, an encoded backslash (`%5C`) in the request path decodes to `\`, which the Windows path resolver treats as a separator. `serve-static` then resolves a single URL segment such as `admin\secret.txt` into a nested file under the root and serves it, let
- CVE-2026-54287Jun 16, 2026affected < 4.14.5-r6fixed 4.14.5-r6
### Summary On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple `Set-Cookie` headers into one comma-separated value. Because commas also appear inside cookie attributes (for example `Expires` dates), clients cannot split the value back int
- CVE-2026-49978Jun 15, 2026affected < 4.14.5-r7fixed 4.14.5-r7
If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript:
- CVE-2026-49458Jun 15, 2026affected < 4.14.5-r7fixed 4.14.5-r7
# Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — realm-bound `instanceof` checks fail-open on fo
- CVE-2026-49459Jun 15, 2026affected < 4.14.5-r7fixed 4.14.5-r7
# IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — silent no-op when `_forceRemove` is cal
- CVE-2026-53655Jun 15, 2026affected < 4.14.5-r7fixed 4.14.5-r7
### Summary `tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX overrides) to the **next header entry of any type**, including intermediary metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per POSIX pax, a PAX extended header (`
- CVE-2026-53550Jun 15, 2026affected < 4.14.5-r8fixed 4.14.5-r8
### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event
- affected < 4.14.5-r5fixed 4.14.5-r5
Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments
- affected < 4.14.5-r5fixed 4.14.5-r5
Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transf
- affected < 4.14.5-r5fixed 4.14.5-r5
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-
- affected < 4.14.5-r5fixed 4.14.5-r5
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:
- affected < 4.14.5-r5fixed 4.14.5-r5
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios sil
- affected < 4.14.5-r5fixed 4.14.5-r5
Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments wh
- affected < 4.14.5-r5fixed 4.14.5-r5
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial
- affected < 4.14.5-r5fixed 4.14.5-r5
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorizati
- affected < 4.14.5-r1fixed 4.14.5-r1
JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an o
- affected < 4.14.5-r3fixed 4.14.5-r3
### Impact The two parsers resolved duplicates inconsistently and silently: - `Content.disposition()` retained the last occurrence of each parameter. - `Content.type()` retained the first occurrence of charset and boundary. Either behavior creates a parameter-smuggling primitive
Page 1 of 4