apk package
wolfi/grafana-11.6-oci-compat
pkg:apk/wolfi/grafana-11.6-oci-compat
Vulnerabilities (16)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-11065 | Med | 5.3 | < 11.6.5-r1 | 11.6.5-r1 | Jan 26, 2026 | A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data process | |
| CVE-2025-47914 | — | < 0 | 0 | Nov 19, 2025 | SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. | ||
| CVE-2025-58181 | — | < 11.6.8-r1 | 11.6.8-r1 | Nov 19, 2025 | SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | ||
| CVE-2025-47907 | — | < 11.6.4-r2 | 11.6.4-r2 | Aug 7, 2025 | Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex | ||
| CVE-2025-8556 | Low | 3.7 | < 11.6.2-r2 | 11.6.2-r2 | Aug 6, 2025 | A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange. | |
| CVE-2025-48371 | — | < 11.6.2-r1 | 11.6.2-r1 | May 22, 2025 | OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Us | ||
| CVE-2025-46331 | — | < 11.6.8-r0 | 11.6.8-r0 | Apr 30, 2025 | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject c | ||
| CVE-2025-22872 | Med | 6.5 | < 11.6.0-r2 | 11.6.0-r2 | Apr 16, 2025 | The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul | |
| CVE-2025-30153 | Hig | 7.5 | < 0 | 0 | Mar 19, 2025 | kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system | |
| CVE-2024-6485 | Med | 6.4 | < 11.6.7-r0 | 11.6.7-r0 | Jul 11, 2024 | A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript cod | |
| CVE-2022-31022 | — | < 11.6.7-r0 | 11.6.7-r0 | Jun 1, 2022 | Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (blev | ||
| CVE-2018-20677 | — | < 11.6.7-r0 | 11.6.7-r0 | Jan 9, 2019 | In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property. | ||
| CVE-2018-20676 | — | < 11.6.7-r0 | 11.6.7-r0 | Jan 9, 2019 | In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute. | ||
| CVE-2016-10735 | — | < 11.6.7-r0 | 11.6.7-r0 | Jan 9, 2019 | In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. | ||
| CVE-2018-14042 | — | < 11.6.7-r0 | 11.6.7-r0 | Jul 13, 2018 | In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. | ||
| CVE-2018-14040 | — | < 11.6.7-r0 | 11.6.7-r0 | Jul 13, 2018 | In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. |
- affected < 11.6.5-r1fixed 11.6.5-r1
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data process
- CVE-2025-47914Nov 19, 2025affected < 0fixed 0
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
- CVE-2025-58181Nov 19, 2025affected < 11.6.8-r1fixed 11.6.8-r1
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
- CVE-2025-47907Aug 7, 2025affected < 11.6.4-r2fixed 11.6.4-r2
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
- affected < 11.6.2-r2fixed 11.6.2-r2
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
- CVE-2025-48371May 22, 2025affected < 11.6.2-r1fixed 11.6.2-r1
OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Us
- CVE-2025-46331Apr 30, 2025affected < 11.6.8-r0fixed 11.6.8-r0
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 (Helm chart <= openfga-0.2.28, docker <= v.1.8.10) are vulnerable to authorization bypass when certain Check and ListObject c
- affected < 11.6.0-r2fixed 11.6.0-r2
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
- affected < 0fixed 0
kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system
- affected < 11.6.7-r0fixed 11.6.7-r0
A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript cod
- CVE-2022-31022Jun 1, 2022affected < 11.6.7-r0fixed 11.6.7-r0
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (blev
- CVE-2018-20677Jan 9, 2019affected < 11.6.7-r0fixed 11.6.7-r0
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
- CVE-2018-20676Jan 9, 2019affected < 11.6.7-r0fixed 11.6.7-r0
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
- CVE-2016-10735Jan 9, 2019affected < 11.6.7-r0fixed 11.6.7-r0
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
- CVE-2018-14042Jul 13, 2018affected < 11.6.7-r0fixed 11.6.7-r0
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
- CVE-2018-14040Jul 13, 2018affected < 11.6.7-r0fixed 11.6.7-r0
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.