apk package

wolfi/grafana-11.5

pkg:apk/wolfi/grafana-11.5

Vulnerabilities (46)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-11065	Med	5.3	< 11.5.8-r1	11.5.8-r1	Jan 26, 2026	A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data process
CVE-2025-47914		—	< 0	0	Nov 19, 2025	SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
CVE-2025-58181		—	< 0	0	Nov 19, 2025	SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
CVE-2025-47913		—	< 0	0	Nov 13, 2025	SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
CVE-2025-47907		—	< 11.5.7-r2	11.5.7-r2	Aug 7, 2025	Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
CVE-2025-8556	Low	3.7	< 11.5.5-r2	11.5.5-r2	Aug 6, 2025	A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
CVE-2025-1088	Low	2.7	< 0	0	Jun 18, 2025	In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.
CVE-2025-48371		—	< 11.5.5-r1	11.5.5-r1	May 22, 2025	OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Us
CVE-2025-46331		—	< 11.5.10-r0	11.5.10-r0	Apr 30, 2025	OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject c
CVE-2025-22872	Med	6.5	< 11.5.3.01-r0	11.5.3.01-r0	Apr 16, 2025	The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-30204	Hig	7.5	< 11.5.2-r7	11.5.2-r7	Mar 21, 2025	golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou
CVE-2025-30153	Hig	7.5	< 0	0	Mar 19, 2025	kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system
CVE-2025-22868		—	< 11.5.2-r3	11.5.2-r3	Feb 26, 2025	An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
CVE-2025-22869		—	< 11.5.2-r4	11.5.2-r4	Feb 26, 2025	SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVE-2025-27144	Med	—	< 11.5.2-r2	11.5.2-r2	Feb 24, 2025	Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par
CVE-2025-25196		—	< 11.5.2-r1	11.5.2-r1	Feb 19, 2025	OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart < openfga-0.2.22, docker < v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are exe
CVE-2025-22866	Med	4.0	< 11.5.1-r1	11.5.1-r1	Feb 6, 2025	Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-56323		—	< 11.5.0-r1	11.5.0-r1	Jan 13, 2025	OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [c
CVE-2024-6485	Med	6.4	< 11.5.10-r0	11.5.10-r0	Jul 11, 2024	A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript cod
CVE-2022-31022		—	< 0	0	Jun 1, 2022	Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (blev

CVE-2025-11065MedJan 26, 2026
affected < 11.5.8-r1fixed 11.5.8-r1
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data process
CVE-2025-47914Nov 19, 2025
affected < 0fixed 0
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
CVE-2025-58181Nov 19, 2025
affected < 0fixed 0
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
CVE-2025-47913Nov 13, 2025
affected < 0fixed 0
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
CVE-2025-47907Aug 7, 2025
affected < 11.5.7-r2fixed 11.5.7-r2
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
CVE-2025-8556LowAug 6, 2025
affected < 11.5.5-r2fixed 11.5.5-r2
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
CVE-2025-1088LowJun 18, 2025
affected < 0fixed 0
In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.
CVE-2025-48371May 22, 2025
affected < 11.5.5-r1fixed 11.5.5-r1
OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Us
CVE-2025-46331Apr 30, 2025
affected < 11.5.10-r0fixed 11.5.10-r0
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject c
CVE-2025-22872MedApr 16, 2025
affected < 11.5.3.01-r0fixed 11.5.3.01-r0
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-30204HigMar 21, 2025
affected < 11.5.2-r7fixed 11.5.2-r7
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou
CVE-2025-30153HigMar 19, 2025
affected < 0fixed 0
kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system
CVE-2025-22868Feb 26, 2025
affected < 11.5.2-r3fixed 11.5.2-r3
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
CVE-2025-22869Feb 26, 2025
affected < 11.5.2-r4fixed 11.5.2-r4
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVE-2025-27144MedFeb 24, 2025
affected < 11.5.2-r2fixed 11.5.2-r2
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par
CVE-2025-25196Feb 19, 2025
affected < 11.5.2-r1fixed 11.5.2-r1
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA < v1.8.4 (Helm chart < openfga-0.2.22, docker < v.1.8.4) are vulnerable to authorization bypass when certain Check and ListObject calls are exe
CVE-2025-22866MedFeb 6, 2025
affected < 11.5.1-r1fixed 11.5.1-r1
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-56323Jan 13, 2025
affected < 11.5.0-r1fixed 11.5.0-r1
OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [c
CVE-2024-6485MedJul 11, 2024
affected < 11.5.10-r0fixed 11.5.10-r0
A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript cod
CVE-2022-31022Jun 1, 2022
affected < 0fixed 0
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (blev

Page 2 of 3