VYPR

rpm package

almalinux/cockpit-ha-cluster

pkg:rpm/almalinux/cockpit-ha-cluster

Vulnerabilities (7)

  • CVE-2026-4800HigMar 31, 2026
    affected < 0.12.1-1.el10_1.3fixed 0.12.1-1.el10_1.3

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a

  • CVE-2025-13465MedJan 21, 2026
    affected < 0.12.1-1.el10_1.2fixed 0.12.1-1.el10_1.2

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin

  • CVE-2025-61919Oct 10, 2025
    affected < 0.12.1-1.el10_1.1fixed 0.12.1-1.el10_1.1

    Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large

  • CVE-2025-61772Oct 7, 2025
    affected < 0.12.1-1.el10_1.1fixed 0.12.1-1.el10_1.1

    Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incomin

  • CVE-2025-61771Oct 7, 2025
    affected < 0.12.1-1.el10_1.1fixed 0.12.1-1.el10_1.1

    Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request

  • CVE-2025-61770Oct 7, 2025
    affected < 0.12.1-1.el10_1.1fixed 0.12.1-1.el10_1.1

    Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid

  • CVE-2025-59830Sep 25, 2025
    affected < 0.12.1-1.el10_1.1fixed 0.12.1-1.el10_1.1

    Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submi