VYPR

apk package

wolfi/telegraf-1.37

pkg:apk/wolfi/telegraf-1.37

Vulnerabilities (59)

  • CVE-2026-39820HigMay 7, 2026
    affected < 1.37.3-r12fixed 1.37.3-r12

    Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

  • CVE-2026-39819MedMay 7, 2026
    affected < 1.37.3-r12fixed 1.37.3-r12

    The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

  • CVE-2026-39817MedMay 7, 2026
    affected < 1.37.3-r12fixed 1.37.3-r12

    The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

  • CVE-2026-33814HigMay 7, 2026
    affected < 1.37.3-r13fixed 1.37.3-r13

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-33811HigMay 7, 2026
    affected < 1.37.3-r12fixed 1.37.3-r12

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2026-41602HigApr 28, 2026
    affected < 1.37.3-r15fixed 1.37.3-r15

    Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

  • CVE-2026-32952MedApr 24, 2026
    affected < 1.37.3-r11fixed 1.37.3-r11

    go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc

  • CVE-2026-40179MedApr 15, 2026
    affected < 0fixed 0

    Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into inne

  • CVE-2026-39883HigApr 8, 2026
    affected < 1.37.3-r9fixed 1.37.3-r9

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-34986HigApr 6, 2026
    affected < 1.37.3-r8fixed 1.37.3-r8

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-32287HigMar 26, 2026
    affected < 1.37.3-r7fixed 1.37.3-r7

    Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".

  • CVE-2026-32286HigMar 26, 2026
    affected < 1.37.3-r7fixed 1.37.3-r7

    The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.

  • CVE-2026-33249Mar 25, 2026
    affected < 1.37.3-r6fixed 1.37.3-r6

    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.11.0 and prior to versions 2.11.15 and 2.12.6, a valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary

  • CVE-2026-33223Mar 25, 2026
    affected < 1.37.3-r6fixed 1.37.3-r6

    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, the NATS message header `Nats-Request-Info:` is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from i

  • CVE-2026-33248Mar 25, 2026
    affected < 1.37.3-r6fixed 1.37.3-r6

    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with `verify_and_map` to derive a NATS identity from the client certificate's Subject DN, certain patterns of

  • CVE-2026-33222Mar 25, 2026
    affected < 1.37.3-r6fixed 1.37.3-r6

    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected a

  • CVE-2026-33247Mar 25, 2026
    affected < 1.37.3-r6fixed 1.37.3-r6

    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any us

  • CVE-2026-33219Mar 25, 2026
    affected < 1.37.3-r6fixed 1.37.3-r6

    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires

  • CVE-2026-33218Mar 25, 2026
    affected < 1.37.3-r6fixed 1.37.3-r6

    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 an

  • CVE-2026-33246Mar 25, 2026
    affected < 1.37.3-r6fixed 1.37.3-r6

    NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server offers a `Nats-Request-Info:` message header, providing information about a request. This is supposed to provide enough information to allow for account/user identifica