VYPR

apk package

wolfi/py3.13-jupyterlab

pkg:apk/wolfi/py3.13-jupyterlab

Vulnerabilities (11)

  • CVE-2026-45736MedMay 15, 2026
    affected < 4.6.1-r1fixed 4.6.1-r1

    ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

  • CVE-2026-4800HigMar 31, 2026
    affected < 4.6.1-r1fixed 4.6.1-r1

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a

  • CVE-2026-33939HigMar 27, 2026
    affected < 4.6.1-r1fixed 4.6.1-r1

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")

  • CVE-2026-33916MedMar 27, 2026
    affected < 4.6.1-r1fixed 4.6.1-r1

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal

  • CVE-2026-26996Feb 20, 2026
    affected < 4.6.1-r1fixed 4.6.1-r1

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

  • CVE-2026-2391Feb 12, 2026
    affected < 4.6.1-r1fixed 4.6.1-r1

    ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass

  • CVE-2026-24842Jan 28, 2026
    affected < 4.6.1-r1fixed 4.6.1-r1

    node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that b

  • CVE-2025-13465MedJan 21, 2026
    affected < 4.6.1-r1fixed 4.6.1-r1

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin

  • CVE-2026-23745Jan 16, 2026
    affected < 4.6.1-r1fixed 4.6.1-r1

    node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading t

  • CVE-2025-66648Jan 5, 2026
    affected < 4.6.1-r1fixed 4.6.1-r1

    vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (

  • CVE-2024-21501MedFeb 24, 2024
    affected < 4.6.1-r1fixed 4.6.1-r1

    Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to