VYPR

apk package

wolfi/tekton-pipelines-webhook-1.9

pkg:apk/wolfi/tekton-pipelines-webhook-1.9

Vulnerabilities (10)

  • CVE-2026-42507MedJun 2, 2026
    affected < 1.9.3-r5fixed 1.9.3-r5

    When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

  • CVE-2026-42504HigJun 2, 2026
    affected < 1.9.3-r5fixed 1.9.3-r5

    Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

  • CVE-2026-27145MedJun 2, 2026
    affected < 1.9.3-r5fixed 1.9.3-r5

    (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic

  • CVE-2026-33814HigMay 7, 2026
    affected < 1.9.3-r1fixed 1.9.3-r1

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-40938HigApr 21, 2026
    affected < 1.9.3-r2fixed 1.9.3-r2

    Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as a positional argument to git fetch withou

  • CVE-2026-40924MedApr 21, 2026
    affected < 1.9.3-r2fixed 1.9.3-r2

    Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size

  • CVE-2026-40923MedApr 21, 2026
    affected < 1.9.3-r2fixed 1.9.3-r2

    Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tek

  • CVE-2026-40161HigApr 21, 2026
    affected < 1.9.3-r2fixed 1.9.3-r2

    Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-con

  • CVE-2026-25542MedApr 21, 2026
    affected < 1.9.3-r2fixed 1.9.3-r2

    Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.43.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, trusted resources verification policies match a resource source string (refSource.URI) against spec.

  • CVE-2026-33022Mar 20, 2026
    affected < 1.9.2-r0fixed 1.9.2-r0

    Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can creat