VYPR

apk package

chainguard/wazuh-dashboard-dashboards-reporting-fips

pkg:apk/chainguard/wazuh-dashboard-dashboards-reporting-fips

Vulnerabilities (9)

  • CVE-2026-49978Jun 15, 2026
    affected < 4.14.5-r7fixed 4.14.5-r7

    If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript:

  • CVE-2026-49458Jun 15, 2026
    affected < 4.14.5-r7fixed 4.14.5-r7

    # Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — realm-bound `instanceof` checks fail-open on fo

  • CVE-2026-49459Jun 15, 2026
    affected < 4.14.5-r7fixed 4.14.5-r7

    # IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — silent no-op when `_forceRemove` is cal

  • CVE-2026-53550Jun 15, 2026
    affected < 0fixed 0

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-48779higJun 15, 2026
    affected < 4.14.5-r7fixed 4.14.5-r7

    ### Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, lea

  • CVE-2026-12143HigJun 12, 2026
    affected < 4.14.5-r7fixed 4.14.5-r7

    form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee

  • CVE-2026-49982HigJun 11, 2026
    affected < 4.14.5-r7fixed 4.14.5-r7

    tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any obje

  • CVE-2026-44705HigJun 11, 2026
    affected < 4.14.5-r3fixed 4.14.5-r3

    tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal

  • CVE-2026-41907HigApr 24, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi