VYPR

apk package

chainguard/wazuh-dashboard-dashboards-maps-fips

pkg:apk/chainguard/wazuh-dashboard-dashboards-maps-fips

Vulnerabilities (5)

  • CVE-2026-49978Jun 15, 2026
    affected < 4.14.5-r7fixed 4.14.5-r7

    If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript:

  • CVE-2026-49458Jun 15, 2026
    affected < 4.14.5-r7fixed 4.14.5-r7

    # Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — realm-bound `instanceof` checks fail-open on fo

  • CVE-2026-49459Jun 15, 2026
    affected < 4.14.5-r7fixed 4.14.5-r7

    # IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — silent no-op when `_forceRemove` is cal

  • CVE-2026-41907HigApr 24, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi

  • CVE-2026-5758MedApr 15, 2026
    affected < 4.14.4-r2fixed 4.14.4-r2

    JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution.