VYPR

apk package

wolfi/prism

pkg:apk/wolfi/prism

Vulnerabilities (84)

  • CVE-2026-33938HigMar 27, 2026
    affected < 5.14.3-r13fixed 5.14.3-r13

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objec

  • CVE-2026-33937CriMar 27, 2026
    affected < 5.14.3-r13fixed 5.14.3-r13

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the ge

  • CVE-2026-33916MedMar 27, 2026
    affected < 5.14.3-r13fixed 5.14.3-r13

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal

  • CVE-2026-33750MedMar 27, 2026
    affected < 5.14.3-r13fixed 5.14.3-r13

    The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process

  • CVE-2026-33672MedMar 26, 2026
    affected < 5.14.3-r13fixed 5.14.3-r13

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions

  • CVE-2026-33671HigMar 26, 2026
    affected < 5.14.3-r13fixed 5.14.3-r13

    Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when c

  • CVE-2026-33532MedMar 26, 2026
    affected < 5.14.3-r13fixed 5.14.3-r13

    `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive funct

  • CVE-2026-33349Mar 24, 2026
    affected < 5.14.3-r13fixed 5.14.3-r13

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration

  • CVE-2026-33228Mar 20, 2026
    affected < 5.14.3-r13fixed 5.14.3-r13

    flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, a

  • CVE-2026-33036Mar 20, 2026
    affected < 5.14.3-r12fixed 5.14.3-r12

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa

  • CVE-2026-32141Mar 12, 2026
    affected < 5.14.3-r10fixed 5.14.3-r10

    flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, caus

  • CVE-2026-29786Mar 7, 2026
    affected < 5.14.3-r9fixed 5.14.3-r9

    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar

  • CVE-2026-27601MedMar 3, 2026
    affected < 5.14.3-r9fixed 5.14.3-r9

    Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a s

  • CVE-2026-3449LowMar 3, 2026
    affected < 5.15.11-r0fixed 5.15.11-r0

    Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang

  • CVE-2026-27942Feb 26, 2026
    affected < 5.14.3-r8fixed 5.14.3-r8

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8

  • CVE-2026-27904Feb 26, 2026
    affected < 5.14.3-r8fixed 5.14.3-r8

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh

  • CVE-2026-27903Feb 26, 2026
    affected < 5.14.3-r8fixed 5.14.3-r8

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a

  • CVE-2026-25896Feb 20, 2026
    affected < 5.14.3-r7fixed 5.14.3-r7

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an att

  • CVE-2026-26996Feb 20, 2026
    affected < 5.14.3-r8fixed 5.14.3-r8

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

  • CVE-2026-26960Feb 20, 2026
    affected < 5.14.3-r7fixed 5.14.3-r7

    node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as t