apk package

wolfi/kubeflow-pipelines-frontend

pkg:apk/wolfi/kubeflow-pipelines-frontend

Vulnerabilities (130)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-42338	Med	6.1	< 2.16.1-r1	2.16.1-r1	May 12, 2026	ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi
CVE-2026-41650	Med	6.1	< 2.16.0-r19	2.16.0-r19	May 7, 2026	fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This
CVE-2026-41907	Hig	7.5	< 2.16.0-r19	2.16.0-r19	Apr 24, 2026	uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi
CVE-2025-62718	Cri	9.9	< 2.16.0-r13	2.16.0-r13	Apr 9, 2026	Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_
CVE-2026-4800	Hig	8.1	< 2.16.0-r11	2.16.0-r11	Mar 31, 2026	Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a
CVE-2026-2950	Med	6.5	< 2.16.0-r11	2.16.0-r11	Mar 31, 2026	Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca
CVE-2026-33896	Hig	7.4	< 2.16.0-r11	2.16.0-r11	Mar 27, 2026	Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints`
CVE-2026-33895	Hig	7.5	< 2.16.0-r11	2.16.0-r11	Mar 27, 2026	Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signa
CVE-2026-33894	Hig	7.5	< 2.16.0-r11	2.16.0-r11	Mar 27, 2026	Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garba
CVE-2026-33891	Hig	7.5	< 2.16.0-r11	2.16.0-r11	Mar 27, 2026	Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from
CVE-2026-33672	Med	5.3	< 2.16.0-r11	2.16.0-r11	Mar 26, 2026	Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions
CVE-2026-33671	Hig	7.5	< 2.16.0-r11	2.16.0-r11	Mar 26, 2026	Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when c
CVE-2026-4867	Hig	7.5	< 2.16.0-r12	2.16.0-r12	Mar 26, 2026	Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambigu
CVE-2026-33349		—	< 2.16.0-r10	2.16.0-r10	Mar 24, 2026	fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration
CVE-2026-33036		—	< 2.16.0-r9	2.16.0-r9	Mar 20, 2026	fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa
CVE-2026-3449	Low	3.3	< 2.16.0-r7	2.16.0-r7	Mar 3, 2026	Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang
CVE-2026-27942		—	< 2.16.0-r2	2.16.0-r2	Feb 26, 2026	fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8
CVE-2026-26996		—	< 2.16.0-r0	2.16.0-r0	Feb 20, 2026	minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact
CVE-2026-26960		—	< 2.15.0-r12	2.15.0-r12	Feb 20, 2026	node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as t
CVE-2026-26278		—	< 2.15.0-r12	2.15.0-r12	Feb 19, 2026	fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML inpu

CVE-2026-42338MedMay 12, 2026
affected < 2.16.1-r1fixed 2.16.1-r1
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emi
CVE-2026-41650MedMay 7, 2026
affected < 2.16.0-r19fixed 2.16.0-r19
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This
CVE-2026-41907HigApr 24, 2026
affected < 2.16.0-r19fixed 2.16.0-r19
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fi
CVE-2025-62718CriApr 9, 2026
affected < 2.16.0-r13fixed 2.16.0-r13
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_
CVE-2026-4800HigMar 31, 2026
affected < 2.16.0-r11fixed 2.16.0-r11
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a
CVE-2026-2950MedMar 31, 2026
affected < 2.16.0-r11fixed 2.16.0-r11
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca
CVE-2026-33896HigMar 27, 2026
affected < 2.16.0-r11fixed 2.16.0-r11
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints`
CVE-2026-33895HigMar 27, 2026
affected < 2.16.0-r11fixed 2.16.0-r11
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid signa
CVE-2026-33894HigMar 27, 2026
affected < 2.16.0-r11fixed 2.16.0-r11
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garba
CVE-2026-33891HigMar 27, 2026
affected < 2.16.0-r11fixed 2.16.0-r11
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, a Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from
CVE-2026-33672MedMar 26, 2026
affected < 2.16.0-r11fixed 2.16.0-r11
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions
CVE-2026-33671HigMar 26, 2026
affected < 2.16.0-r11fixed 2.16.0-r11
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when c
CVE-2026-4867HigMar 26, 2026
affected < 2.16.0-r12fixed 2.16.0-r12
Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambigu
CVE-2026-33349Mar 24, 2026
affected < 2.16.0-r10fixed 2.16.0-r10
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration
CVE-2026-33036Mar 20, 2026
affected < 2.16.0-r9fixed 2.16.0-r9
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa
CVE-2026-3449LowMar 3, 2026
affected < 2.16.0-r7fixed 2.16.0-r7
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang
CVE-2026-27942Feb 26, 2026
affected < 2.16.0-r2fixed 2.16.0-r2
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8
CVE-2026-26996Feb 20, 2026
affected < 2.16.0-r0fixed 2.16.0-r0
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact
CVE-2026-26960Feb 20, 2026
affected < 2.15.0-r12fixed 2.15.0-r12
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as t
CVE-2026-26278Feb 19, 2026
affected < 2.15.0-r12fixed 2.15.0-r12
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML inpu

Page 1 of 7