VYPR

apk package

wolfi/cinc-auditor

pkg:apk/wolfi/cinc-auditor

Vulnerabilities (8)

  • CVE-2026-33637NonMay 19, 2026
    affected < 7.1.7-r0fixed 7.1.7-r0

    Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build

  • CVE-2026-45363higMay 18, 2026
    affected < 7.1.7-r0fixed 7.1.7-r0

    `JWT.decode(token, '', true, algorithm: 'HS256')` accepts an attacker-forged token. `OpenSSL::HMAC.digest('SHA256', '', payload)` returns a valid digest under an empty key, and no `raise InvalidKeyError if key.empty?` precondition exists in the HMAC algorithm. ``` JWT.decode(t

  • CVE-2026-35611HigApr 7, 2026
    affected < 7.0.107-r3fixed 7.0.107-r3

    Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic b

  • CVE-2026-33176Mar 23, 2026
    affected < 7.0.107-r1fixed 7.0.107-r1

    Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which `BigDecimal` expands

  • CVE-2026-33170Mar 23, 2026
    affected < 7.0.107-r1fixed 7.0.107-r1

    Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in pl

  • CVE-2026-33169Mar 23, 2026
    affected < 7.0.107-r1fixed 7.0.107-r1

    Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. `NumberToDelimitedConverter` uses a lookahead-based regular expression with `gsub!` to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the i

  • CVE-2026-33210Mar 20, 2026
    affected < 7.0.107-r1fixed 7.0.107-r1

    Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used

  • CVE-2026-25765Feb 9, 2026
    affected < 7.0.95-r6fixed 7.0.95-r6

    Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per