VYPR

apk package

chainguard/wazuh-dashboard

pkg:apk/chainguard/wazuh-dashboard

Vulnerabilities (71)

  • CVE-2026-42035HigApr 24, 2026
    affected < 4.14.5-r5fixed 4.14.5-r5

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability ex

  • CVE-2026-42034MedApr 24, 2026
    affected < 4.14.5-r5fixed 4.14.5-r5

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets

  • CVE-2026-42033HigApr 24, 2026
    affected < 4.14.5-r5fixed 4.14.5-r5

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON respo

  • CVE-2026-56761medApr 16, 2026
    affected < 4.14.4-r3fixed 4.14.4-r3

    ## Summary Improper handling of JSX attribute names in hono/jsx allows malformed attribute keys to corrupt the generated HTML output. When untrusted input is used as attribute keys during server-side rendering, specially crafted keys can break out of attribute or tag boundaries

  • CVE-2026-40175MedApr 10, 2026
    affected < 4.14.4-r2fixed 4.14.4-r2

    Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound

  • CVE-2025-62718CriApr 9, 2026
    affected < 4.14.4-r2fixed 4.14.4-r2

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_

  • CVE-2026-4800HigMar 31, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a

  • CVE-2026-2950MedMar 31, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca

  • CVE-2026-34043MedMar 31, 2026
    affected < 4.14.4-r3fixed 4.14.4-r3

    Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Ar

  • CVE-2026-33941HigMar 27, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly i

  • CVE-2026-33940HigMar 27, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebar

  • CVE-2026-33939HigMar 27, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")

  • CVE-2026-33938HigMar 27, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objec

  • CVE-2026-33937CriMar 27, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the ge

  • CVE-2026-33916MedMar 27, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal

  • CVE-2026-33896HigMar 27, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints`

  • CVE-2026-33895HigMar 27, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signa

  • CVE-2026-33894HigMar 27, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garba

  • CVE-2026-33891HigMar 27, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from

  • CVE-2026-33750MedMar 27, 2026
    affected < 4.14.4-r1fixed 4.14.4-r1

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process