VYPR

apk package

wolfi/neo4j-5.26

pkg:apk/wolfi/neo4j-5.26

Vulnerabilities (35)

  • CVE-2026-34480HigApr 10, 2026
    affected < 5.26.23-r3fixed 5.26.23-r3

    Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whene

  • CVE-2026-33870Mar 27, 2026
    affected < 5.26.23-r1fixed 5.26.23-r1

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an

  • CVE-2026-1605Mar 5, 2026
    affected < 5.26.21-r3fixed 5.26.21-r3

    In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated

  • CVE-2025-11143Mar 5, 2026
    affected < 5.26.21-r3fixed 5.26.21-r3

    The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the UR

  • CVE-2026-23901Feb 10, 2026
    affected < 5.26.21-r2fixed 5.26.21-r2

    Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. Users are recommended to upgrade to version 2.0.7 or later, which fixes the issue. Prior to Shiro 2.0.7, code paths for non-existent vs. existing users are

  • CVE-2026-1622MedFeb 4, 2026
    affected < 5.26.21-r0fixed 5.26.21-r0

    Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The "obfuscate_literals" option in the query logs does not redact error information, exp

  • CVE-2025-12383Nov 18, 2025
    affected < 5.26.16-r1fixed 5.26.16-r1

    In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but

  • CVE-2025-58057Sep 3, 2025
    affected < 5.26.12-r0fixed 5.26.12-r0

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s

  • CVE-2025-58056Sep 3, 2025
    affected < 5.26.12-r0fixed 5.26.12-r0

    Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch

  • CVE-2025-5115Aug 20, 2025
    affected < 5.26.10-r2fixed 5.26.10-r2

    In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th

  • CVE-2025-48924Jul 11, 2025
    affected < 5.26.9-r1fixed 5.26.9-r1

    Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr

  • CVE-2025-1948May 8, 2025
    affected < 5.26.6-r1fixed 5.26.6-r1

    In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the sp

  • CVE-2025-25193Feb 10, 2025
    affected < 0fixed 0

    Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts

  • CVE-2025-24970Feb 10, 2025
    affected < 5.26.4-r0fixed 5.26.4-r0

    Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas

  • CVE-2024-6763Oct 14, 2024
    affected < 5.26.2-r0fixed 5.26.2-r0

    Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs fro

Page 2 of 2