apk package
chainguard/wazuh-dashboard-dashboards-maps
pkg:apk/chainguard/wazuh-dashboard-dashboards-maps
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-49978 | — | < 4.14.5-r7 | 4.14.5-r7 | Jun 15, 2026 | If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript: | ||
| CVE-2026-49458 | — | < 4.14.5-r7 | 4.14.5-r7 | Jun 15, 2026 | # Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — realm-bound `instanceof` checks fail-open on fo | ||
| CVE-2026-49459 | — | < 4.14.5-r7 | 4.14.5-r7 | Jun 15, 2026 | # IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — silent no-op when `_forceRemove` is cal | ||
| CVE-2026-41907 | Hig | 7.5 | < 4.14.4-r2 | 4.14.4-r2 | Apr 24, 2026 | uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi | |
| CVE-2026-41240 | Med | 6.1 | < 4.14.4-r3 | 4.14.4-r3 | Apr 23, 2026 | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The | |
| CVE-2026-41239 | Med | 6.8 | < 4.14.4-r3 | 4.14.4-r3 | Apr 23, 2026 | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGM | |
| CVE-2026-41238 | Med | 6.9 | < 4.14.4-r3 | 4.14.4-r3 | Apr 23, 2026 | DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` op | |
| CVE-2026-5758 | Med | 6.5 | < 4.14.4-r3 | 4.14.4-r3 | Apr 15, 2026 | JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution. |
- CVE-2026-49978Jun 15, 2026affected < 4.14.5-r7fixed 4.14.5-r7
If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript:
- CVE-2026-49458Jun 15, 2026affected < 4.14.5-r7fixed 4.14.5-r7
# Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — realm-bound `instanceof` checks fail-open on fo
- CVE-2026-49459Jun 15, 2026affected < 4.14.5-r7fixed 4.14.5-r7
# IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — silent no-op when `_forceRemove` is cal
- affected < 4.14.4-r2fixed 4.14.4-r2
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi
- affected < 4.14.4-r3fixed 4.14.4-r3
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The
- affected < 4.14.4-r3fixed 4.14.4-r3
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGM
- affected < 4.14.4-r3fixed 4.14.4-r3
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` op
- affected < 4.14.4-r3fixed 4.14.4-r3
JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution.