VYPR

apk package

wolfi/mattermost-11.4

pkg:apk/wolfi/mattermost-11.4

Vulnerabilities (29)

  • CVE-2026-27143CriApr 8, 2026
    affected < 11.4.5-r0fixed 11.4.5-r0

    Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.

  • CVE-2026-27140HigApr 8, 2026
    affected < 11.4.5-r0fixed 11.4.5-r0

    SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

  • CVE-2026-33487HigMar 26, 2026
    affected < 11.4.3-r2fixed 11.4.3-r2

    goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo

  • CVE-2026-33809MedMar 25, 2026
    affected < 11.4.3-r3fixed 11.4.3-r3

    A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

  • CVE-2026-33186CriMar 20, 2026
    affected < 11.4.3-r1fixed 11.4.3-r1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2026-27141HigFeb 26, 2026
    affected < 11.4.3-r4fixed 11.4.3-r4

    Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

  • CVE-2026-26958LowFeb 19, 2026
    affected < 0fixed 0

    filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Poin

  • CVE-2022-4045Nov 23, 2022
    affected < 0fixed 0

    A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data. 

  • CVE-2022-4019Nov 23, 2022
    affected < 0fixed 0

    A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.

Page 2 of 2