apk package

wolfi/kserve-storage-controller

pkg:apk/wolfi/kserve-storage-controller

Vulnerabilities (70)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-28684	Med	6.6	< 0.17.0-r2	0.17.0-r2	Apr 20, 2026	python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a c
CVE-2026-40347	Med	5.3	< 0.17.0-r2	0.17.0-r2	Apr 18, 2026	Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the
CVE-2026-39892	Cri	9.8	< 0.16.0-r25	0.16.0-r25	Apr 8, 2026	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner
CVE-2026-34525	Med	5.3	< 0.17.0-r2	0.17.0-r2	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.
CVE-2026-34520	Cri	9.1	< 0.17.0-r2	0.17.0-r2	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.
CVE-2026-34519	Med	5.3	< 0.17.0-r2	0.17.0-r2	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
CVE-2026-34518	Med	5.3	< 0.17.0-r2	0.17.0-r2	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in
CVE-2026-34517	Med	5.3	< 0.17.0-r2	0.17.0-r2	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.
CVE-2026-34516	Hig	7.5	< 0.17.0-r2	0.17.0-r2	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched
CVE-2026-34515	Hig	7.5	< 0.17.0-r2	0.17.0-r2	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.
CVE-2026-34514	Med	5.3	< 0.17.0-r2	0.17.0-r2	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
CVE-2026-34513	Hig	7.5	< 0.17.0-r2	0.17.0-r2	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.
CVE-2026-22815	Hig	7.5	< 0.17.0-r2	0.17.0-r2	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.
CVE-2026-34073	Med	5.3	< 0.16.0-r24	0.16.0-r24	Mar 31, 2026	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently
CVE-2026-25645		—	< 0.16.0-r24	0.16.0-r24	Mar 25, 2026	Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid
CVE-2026-4539	Low	3.3	< 0.16.0-r24	0.16.0-r24	Mar 22, 2026	A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit
CVE-2026-32597	Hig	7.5	< 0.16.0-r22	0.16.0-r22	Mar 13, 2026	PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token i
CVE-2026-32274		—	< 0.16.0-r22	0.16.0-r22	Mar 12, 2026	Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker wh
CVE-2026-26007		—	< 0.16.0-r13	0.16.0-r13	Feb 10, 2026	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke
CVE-2026-0994	Hig	7.5	< 0.16.0-r10	0.16.0-r10	Jan 23, 2026	A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l

CVE-2026-28684MedApr 20, 2026
affected < 0.17.0-r2fixed 0.17.0-r2
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, `set_key()` and `unset_key()` in python-dotenv follow symbolic links when rewriting `.env` files, allowing a local attacker to overwrite arbitrary files via a c
CVE-2026-40347MedApr 18, 2026
affected < 0.17.0-r2fixed 0.17.0-r2
Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the
CVE-2026-39892CriApr 8, 2026
affected < 0.16.0-r25fixed 0.16.0-r25
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner
CVE-2026-34525MedApr 1, 2026
affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.
CVE-2026-34520CriApr 1, 2026
affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.
CVE-2026-34519MedApr 1, 2026
affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
CVE-2026-34518MedApr 1, 2026
affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in
CVE-2026-34517MedApr 1, 2026
affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.
CVE-2026-34516HigApr 1, 2026
affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched
CVE-2026-34515HigApr 1, 2026
affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.
CVE-2026-34514MedApr 1, 2026
affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
CVE-2026-34513HigApr 1, 2026
affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.
CVE-2026-22815HigApr 1, 2026
affected < 0.17.0-r2fixed 0.17.0-r2
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.
CVE-2026-34073MedMar 31, 2026
affected < 0.16.0-r24fixed 0.16.0-r24
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently
CVE-2026-25645Mar 25, 2026
affected < 0.16.0-r24fixed 0.16.0-r24
Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid
CVE-2026-4539LowMar 22, 2026
affected < 0.16.0-r24fixed 0.16.0-r24
A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit
CVE-2026-32597HigMar 13, 2026
affected < 0.16.0-r22fixed 0.16.0-r22
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token i
CVE-2026-32274Mar 12, 2026
affected < 0.16.0-r22fixed 0.16.0-r22
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker wh
CVE-2026-26007Feb 10, 2026
affected < 0.16.0-r13fixed 0.16.0-r13
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke
CVE-2026-0994HigJan 23, 2026
affected < 0.16.0-r10fixed 0.16.0-r10
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l

Page 1 of 4