VYPR

apk package

chainguard/wazuh-dashboard-plugins-fips

pkg:apk/chainguard/wazuh-dashboard-plugins-fips

Vulnerabilities (12)

  • CVE-2026-49978Jun 15, 2026
    affected < 4.14.5-r7fixed 4.14.5-r7

    If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript:

  • CVE-2026-49458Jun 15, 2026
    affected < 4.14.5-r7fixed 4.14.5-r7

    # Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — realm-bound `instanceof` checks fail-open on fo

  • CVE-2026-49459Jun 15, 2026
    affected < 4.14.5-r7fixed 4.14.5-r7

    # IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM **CWE**: CWE-79 (XSS — Improper Neutralization of Input During Web Page Generation) via CWE-693 (Protection Mechanism Failure — silent no-op when `_forceRemove` is cal

  • CVE-2026-53550Jun 15, 2026
    affected < 0fixed 0

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event

  • CVE-2026-12143HigJun 12, 2026
    affected < 4.14.5-r7fixed 4.14.5-r7

    form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line fee

  • CVE-2026-45736MedMay 15, 2026
    affected < 4.14.4-r3fixed 4.14.4-r3

    ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

  • CVE-2026-42264HigMay 8, 2026
    affected < 4.14.4-r2fixed 4.14.4-r2

    Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnPropert

  • CVE-2026-41907HigApr 24, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi

  • CVE-2026-42044MedApr 24, 2026
    affected < 4.14.4-r2fixed 4.14.4-r2

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, in

  • CVE-2026-41240MedApr 23, 2026
    affected < 4.14.4-r2fixed 4.14.4-r2

    DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used. Commit c361baa added an early exit for FORBID_ATTR at line 1214. The

  • CVE-2026-41239MedApr 23, 2026
    affected < 4.14.4-r2fixed 4.14.4-r2

    DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrusted HTML. This works in string mode but not with `RETURN_DOM` or `RETURN_DOM_FRAGM

  • CVE-2026-41238MedApr 23, 2026
    affected < 4.14.4-r2fixed 4.14.4-r2

    DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMPurify.sanitize()` with the default configuration (no `CUSTOM_ELEMENT_HANDLING` op