VYPR

apk package

wolfi/seaweedfs

pkg:apk/wolfi/seaweedfs

Vulnerabilities (50)

  • CVE-2026-46602Jun 27, 2026
    affected < 4.36-r2fixed 4.36-r2

    The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.

  • CVE-2026-46604Jun 27, 2026
    affected < 4.36-r2fixed 4.36-r2

    The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.

  • CVE-2026-46601modJun 25, 2026
    affected < 4.36-r2fixed 4.36-r2

    golang.org/x/image/webp: golang.org/x/image/webp: Denial of Service via malformed VP8 chunk in WebP images

  • CVE-2026-46599HigMay 29, 2026
    affected < 4.34-r1fixed 4.34-r1

    The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.

  • CVE-2026-42500MedMay 29, 2026
    affected < 4.34-r1fixed 4.34-r1

    Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.

  • CVE-2026-42506MedMay 22, 2026
    affected < 0fixed 0

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

  • CVE-2026-42502MedMay 22, 2026
    affected < 0fixed 0

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

  • CVE-2026-39821CriMay 22, 2026
    affected < 4.31-r2fixed 4.31-r2

    The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in program

  • CVE-2026-27136MedMay 22, 2026
    affected < 0fixed 0

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

  • CVE-2026-25681MedMay 22, 2026
    affected < 0fixed 0

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

  • CVE-2026-25680MedMay 22, 2026
    affected < 0fixed 0

    Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

  • CVE-2026-41889CriMay 8, 2026
    affected < 4.22-r0fixed 4.22-r0

    pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placehol

  • CVE-2026-41602HigApr 28, 2026
    affected < 4.23-r2fixed 4.23-r2

    Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

  • CVE-2026-32952MedApr 24, 2026
    affected < 4.21-r1fixed 4.21-r1

    go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc

  • CVE-2026-33813HigApr 21, 2026
    affected < 4.36-r1fixed 4.36-r1

    Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.

  • CVE-2026-39883HigApr 8, 2026
    affected < 4.20-r0fixed 4.20-r0

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-32289MedApr 8, 2026
    affected < 4.20-r0fixed 4.20-r0

    Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect es

  • CVE-2026-32288MedApr 8, 2026
    affected < 4.20-r0fixed 4.20-r0

    tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

  • CVE-2026-32283HigApr 8, 2026
    affected < 4.20-r0fixed 4.20-r0

    If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

  • CVE-2026-32282MedApr 8, 2026
    affected < 0fixed 0

    On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R

Page 1 of 3