VYPR

apk package

wolfi/opensearch-dashboards-2

pkg:apk/wolfi/opensearch-dashboards-2

Vulnerabilities (115)

  • CVE-2026-42041MedApr 24, 2026
    affected < 2.19.5-r10fixed 2.19.5-r10

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), c

  • CVE-2026-42040LowApr 24, 2026
    affected < 2.19.5-r10fixed 2.19.5-r10

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function in lib/helpers/AxiosURLSearchParams.js contains a character mapping (charMap) at line 21 that reverses the safe percent-encoding of null bytes. After encodeURICompo

  • CVE-2026-42039HigApr 24, 2026
    affected < 2.19.5-r10fixed 2.19.5-r10

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixe

  • CVE-2026-42038MedApr 24, 2026
    affected < 2.19.5-r10fixed 2.19.5-r10

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it. Th

  • CVE-2026-42037MedApr 24, 2026
    affected < 2.19.5-r10fixed 2.19.5-r10

    Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF (\r\n) seque

  • CVE-2026-42036MedApr 24, 2026
    affected < 2.19.5-r10fixed 2.19.5-r10

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream c

  • CVE-2026-42035HigApr 24, 2026
    affected < 2.19.5-r10fixed 2.19.5-r10

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability ex

  • CVE-2026-42034MedApr 24, 2026
    affected < 2.19.5-r10fixed 2.19.5-r10

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets

  • CVE-2026-42033HigApr 24, 2026
    affected < 2.19.5-r10fixed 2.19.5-r10

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON respo

  • CVE-2026-40175MedApr 10, 2026
    affected < 2.19.5-r8fixed 2.19.5-r8

    Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound

  • CVE-2025-62718CriApr 9, 2026
    affected < 2.19.5-r8fixed 2.19.5-r8

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_

  • CVE-2026-39410MedApr 8, 2026
    affected < 2.19.5-r8fixed 2.19.5-r8

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may

  • CVE-2026-39409MedApr 8, 2026
    affected < 2.19.5-r8fixed 2.19.5-r8

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-s

  • CVE-2026-39408HigApr 8, 2026
    affected < 2.19.5-r8fixed 2.19.5-r8

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgP

  • CVE-2026-39407MedApr 8, 2026
    affected < 2.19.5-r8fixed 2.19.5-r8

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g.,

  • CVE-2026-39406MedApr 8, 2026
    affected < 2.19.5-r8fixed 2.19.5-r8

    @hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used f

  • CVE-2026-35213HigApr 6, 2026
    affected < 2.19.5-r8fixed 2.19.5-r8

    @hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers c

  • CVE-2026-4800HigMar 31, 2026
    affected < 2.19.5-r8fixed 2.19.5-r8

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a

  • CVE-2026-2950MedMar 31, 2026
    affected < 2.19.5-r8fixed 2.19.5-r8

    Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker ca

  • CVE-2026-34043MedMar 31, 2026
    affected < 2.19.5-r10fixed 2.19.5-r10

    Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Ar

Page 2 of 6