VYPR

apk package

wolfi/datadog-cluster-agent-7.77

pkg:apk/wolfi/datadog-cluster-agent-7.77

Vulnerabilities (26)

  • CVE-2026-33814HigMay 7, 2026
    affected < 7.77.3-r10fixed 7.77.3-r10

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-35469HigApr 16, 2026
    affected < 7.77.3-r4fixed 7.77.3-r4

    spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count,

  • CVE-2026-40179MedApr 15, 2026
    affected < 0fixed 0

    Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into inne

  • CVE-2026-39883HigApr 8, 2026
    affected < 7.77.3-r4fixed 7.77.3-r4

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-29181HigApr 7, 2026
    affected < 7.77.3-r4fixed 7.77.3-r4

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many bagg

  • CVE-2026-27141HigFeb 26, 2026
    affected < 7.77.3-r1fixed 7.77.3-r1

    Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

Page 2 of 2