VYPR

apk package

wolfi/teleport-18-kube-agent-updater

pkg:apk/wolfi/teleport-18-kube-agent-updater

Vulnerabilities (50)

  • CVE-2026-39836HigMay 7, 2026
    affected < 18.7.6-r1fixed 18.7.6-r1

    The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

  • CVE-2026-39826MedMay 7, 2026
    affected < 18.7.6-r1fixed 18.7.6-r1

    If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.

  • CVE-2026-39825MedMay 7, 2026
    affected < 0fixed 0

    ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa

  • CVE-2026-39823MedMay 7, 2026
    affected < 18.7.6-r1fixed 18.7.6-r1

    CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le

  • CVE-2026-39820HigMay 7, 2026
    affected < 18.7.6-r1fixed 18.7.6-r1

    Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

  • CVE-2026-39819MedMay 7, 2026
    affected < 18.7.6-r1fixed 18.7.6-r1

    The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

  • CVE-2026-39817MedMay 7, 2026
    affected < 18.7.6-r1fixed 18.7.6-r1

    The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

  • CVE-2026-33814HigMay 7, 2026
    affected < 18.7.6-r1fixed 18.7.6-r1

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-33811HigMay 7, 2026
    affected < 18.7.6-r1fixed 18.7.6-r1

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2026-35206MedApr 9, 2026
    affected < 18.7.2-r12fixed 18.7.2-r12

    Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working di

  • CVE-2026-39883HigApr 8, 2026
    affected < 18.7.2-r7fixed 18.7.2-r7

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-29181HigApr 7, 2026
    affected < 18.7.6-r0fixed 18.7.6-r0

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many bagg

  • CVE-2026-39395MedApr 7, 2026
    affected < 18.9.2-r0fixed 18.9.2-r0

    Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and det

  • CVE-2026-34986HigApr 6, 2026
    affected < 18.7.2-r6fixed 18.7.2-r6

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-34040HigMar 31, 2026
    affected < 18.7.2-r12fixed 18.7.2-r12

    Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.

  • CVE-2026-33997MedMar 31, 2026
    affected < 18.7.2-r12fixed 18.7.2-r12

    Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorre

  • CVE-2026-33487HigMar 26, 2026
    affected < 18.7.2-r3fixed 18.7.2-r3

    goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo

  • CVE-2026-33186CriMar 20, 2026
    affected < 18.7.2-r2fixed 18.7.2-r2

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2025-15558Mar 4, 2026
    affected < 18.7.1-r7fixed 18.7.1-r7

    Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are

  • CVE-2026-24051HigFeb 2, 2026
    affected < 18.7.1-r6fixed 18.7.1-r6

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman