apk package
wolfi/katib-earlystopping
pkg:apk/wolfi/katib-earlystopping
Vulnerabilities (73)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-45409 | Med | 5.3 | < 0.19.0-r21 | 0.19.0-r21 | Jun 5, 2026 | Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize t | |
| CVE-2026-47265 | Hig | 7.5 | < 0.19.0-r18 | 0.19.0-r18 | Jun 2, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then | |
| CVE-2026-34993 | Med | 6.4 | < 0.19.0-r18 | 0.19.0-r18 | Jun 2, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is | |
| CVE-2026-44432 | Hig | 7.5 | < 0.19.0-r21 | 0.19.0-r21 | May 13, 2026 | urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w | |
| CVE-2026-44431 | Med | 5.3 | < 0.19.0-r21 | 0.19.0-r21 | May 13, 2026 | urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0. | |
| CVE-2026-6357 | Med | — | < 0.19.0-r15 | 0.19.0-r15 | Apr 27, 2026 | pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update funct | |
| CVE-2026-3219 | Med | — | < 0.19.0-r13 | 0.19.0-r13 | Apr 20, 2026 | pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior | |
| CVE-2026-33672 | Med | 5.3 | < 0.19.0-r25 | 0.19.0-r25 | Mar 26, 2026 | Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions | |
| CVE-2026-33671 | Hig | 7.5 | < 0.19.0-r25 | 0.19.0-r25 | Mar 26, 2026 | Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when c | |
| CVE-2026-25645 | — | < 0.19.0-r13 | 0.19.0-r13 | Mar 25, 2026 | Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid | ||
| CVE-2026-4539 | Low | 3.3 | < 0.19.0-r21 | 0.19.0-r21 | Mar 22, 2026 | A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit | |
| CVE-2026-27904 | — | < 0.19.0-r23 | 0.19.0-r23 | Feb 26, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh | ||
| CVE-2026-27903 | — | < 0.19.0-r23 | 0.19.0-r23 | Feb 26, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a | ||
| CVE-2026-26996 | — | < 0.19.0-r23 | 0.19.0-r23 | Feb 20, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact | ||
| CVE-2026-1703 | Low | — | < 0.19.0-r5 | 0.19.0-r5 | Feb 2, 2026 | When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat | |
| CVE-2026-0994 | Hig | 7.5 | < 0.19.0-r5 | 0.19.0-r5 | Jan 23, 2026 | A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l | |
| CVE-2026-24049 | — | < 0.19.0-r5 | 0.19.0-r5 | Jan 22, 2026 | wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil | ||
| CVE-2026-23949 | — | < 0.19.0-r4 | 0.19.0-r4 | Jan 20, 2026 | jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta | ||
| CVE-2026-23490 | — | < 0.19.0-r4 | 0.19.0-r4 | Jan 16, 2026 | pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2. | ||
| CVE-2026-21441 | — | < 0.19.0-r13 | 0.19.0-r13 | Jan 7, 2026 | urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b |
- affected < 0.19.0-r21fixed 0.19.0-r21
Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize t
- affected < 0.19.0-r18fixed 0.19.0-r18
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then
- affected < 0.19.0-r18fixed 0.19.0-r18
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is
- affected < 0.19.0-r21fixed 0.19.0-r21
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) w
- affected < 0.19.0-r21fixed 0.19.0-r21
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
- affected < 0.19.0-r15fixed 0.19.0-r15
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update funct
- affected < 0.19.0-r13fixed 0.19.0-r13
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior
- affected < 0.19.0-r25fixed 0.19.0-r25
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions
- affected < 0.19.0-r25fixed 0.19.0-r25
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when c
- CVE-2026-25645Mar 25, 2026affected < 0.19.0-r13fixed 0.19.0-r13
Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid
- affected < 0.19.0-r21fixed 0.19.0-r21
A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit
- CVE-2026-27904Feb 26, 2026affected < 0.19.0-r23fixed 0.19.0-r23
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh
- CVE-2026-27903Feb 26, 2026affected < 0.19.0-r23fixed 0.19.0-r23
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a
- CVE-2026-26996Feb 20, 2026affected < 0.19.0-r23fixed 0.19.0-r23
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact
- affected < 0.19.0-r5fixed 0.19.0-r5
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat
- affected < 0.19.0-r5fixed 0.19.0-r5
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l
- CVE-2026-24049Jan 22, 2026affected < 0.19.0-r5fixed 0.19.0-r5
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil
- CVE-2026-23949Jan 20, 2026affected < 0.19.0-r4fixed 0.19.0-r4
jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta
- CVE-2026-23490Jan 16, 2026affected < 0.19.0-r4fixed 0.19.0-r4
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
- CVE-2026-21441Jan 7, 2026affected < 0.19.0-r13fixed 0.19.0-r13
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b
Page 1 of 4