VYPR

apk package

wolfi/vitess-23

pkg:apk/wolfi/vitess-23

Vulnerabilities (88)

  • CVE-2026-39828MedMay 22, 2026
    affected < 0fixed 0

    When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with Par

  • CVE-2026-39827MedMay 22, 2026
    affected < 0fixed 0

    An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state

  • CVE-2026-45736MedMay 15, 2026
    affected < 23.0.4-r5fixed 23.0.4-r5

    ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.

  • CVE-2026-45740MedMay 13, 2026
    affected < 23.0.4-r5fixed 23.0.4-r5

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested

  • CVE-2026-44295HigMay 13, 2026
    affected < 23.0.4-r5fixed 23.0.4-r5

    protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain name

  • CVE-2026-44294MedMay 13, 2026
    affected < 23.0.4-r5fixed 23.0.4-r5

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded int

  • CVE-2026-44293HigMay 13, 2026
    affected < 23.0.4-r5fixed 23.0.4-r5

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a no

  • CVE-2026-44292MedMay 13, 2026
    affected < 23.0.4-r5fixed 23.0.4-r5

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message

  • CVE-2026-44291HigMay 13, 2026
    affected < 23.0.4-r5fixed 23.0.4-r5

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted,

  • CVE-2026-44290HigMay 13, 2026
    affected < 23.0.4-r5fixed 23.0.4-r5

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause optio

  • CVE-2026-44289HigMay 13, 2026
    affected < 23.0.4-r5fixed 23.0.4-r5

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.

  • CVE-2026-44288MedMay 13, 2026
    affected < 23.0.4-r5fixed 23.0.4-r5

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can

  • CVE-2026-42290HigMay 13, 2026
    affected < 23.0.4-r5fixed 23.0.4-r5

    protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process.exec. File paths containing shell metacharacters could therefore be interpreted

  • CVE-2026-42501HigMay 7, 2026
    affected < 23.0.4-r0fixed 23.0.4-r0

    A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser

  • CVE-2026-42499HigMay 7, 2026
    affected < 23.0.4-r0fixed 23.0.4-r0

    Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

  • CVE-2026-39836HigMay 7, 2026
    affected < 23.0.4-r0fixed 23.0.4-r0

    The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

  • CVE-2026-39826MedMay 7, 2026
    affected < 23.0.4-r0fixed 23.0.4-r0

    If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.

  • CVE-2026-39825MedMay 7, 2026
    affected < 23.0.4-r0fixed 23.0.4-r0

    ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa

  • CVE-2026-39823MedMay 7, 2026
    affected < 23.0.4-r0fixed 23.0.4-r0

    CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le

  • CVE-2026-39820HigMay 7, 2026
    affected < 23.0.4-r0fixed 23.0.4-r0

    Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Page 2 of 5