VYPR

apk package

wolfi/teleport-18.6-operator

pkg:apk/wolfi/teleport-18.6-operator

Vulnerabilities (46)

  • CVE-2026-24051HigFeb 2, 2026
    affected < 18.6.8-r2fixed 18.6.8-r2

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman

  • CVE-2026-24686Jan 27, 2026
    affected < 18.6.8-r9fixed 18.6.8-r9

    go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.

  • CVE-2026-24137MedJan 23, 2026
    affected < 0fixed 0

    sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target na

  • CVE-2026-23992Jan 22, 2026
    affected < 18.6.8-r9fixed 18.6.8-r9

    go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This

  • CVE-2026-23991Jan 22, 2026
    affected < 18.6.8-r9fixed 18.6.8-r9

    go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing,

  • CVE-2025-66564Dec 4, 2025
    affected < 18.6.8-r9fixed 18.6.8-r9

    Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits t

Page 3 of 3