VYPR

apk package

wolfi/kyverno-background-controller-1.17

pkg:apk/wolfi/kyverno-background-controller-1.17

Vulnerabilities (31)

  • CVE-2026-39395MedApr 7, 2026
    affected < 1.17.2-r14fixed 1.17.2-r14

    Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and det

  • CVE-2026-34986HigApr 6, 2026
    affected < 1.17.1-r11fixed 1.17.1-r11

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-4789CriMar 30, 2026
    affected < 1.17.1-r13fixed 1.17.1-r13

    Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.

  • CVE-2026-33186CriMar 20, 2026
    affected < 1.17.1-r6fixed 1.17.1-r6

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2026-27142MedMar 6, 2026
    affected < 1.17.1-r4fixed 1.17.1-r4

    Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap

  • CVE-2026-27139LowMar 6, 2026
    affected < 1.17.1-r4fixed 1.17.1-r4

    On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary

  • CVE-2026-25679HigMar 6, 2026
    affected < 1.17.1-r4fixed 1.17.1-r4

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2025-15558Mar 4, 2026
    affected < 1.17.1-r5fixed 1.17.1-r5

    Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are

  • CVE-2026-1229Feb 24, 2026
    affected < 1.17.1-r1fixed 1.17.1-r1

    The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://

  • CVE-2026-24122Feb 19, 2026
    affected < 1.17.2-r11fixed 1.17.2-r11

    Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issui

  • CVE-2026-24051HigFeb 2, 2026
    affected < 1.17.1-r2fixed 1.17.1-r2

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman

Page 2 of 2