VegOps Security Dashboard
$ scanned 35 releases | 2026-06-30 07:13 UTC
adguard:0.107.77-r1
22 Issues
adguard:0.107.77-r1
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GO-2026-5020 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | When writing data larger than 4GB in a single Write call on an SSH channel, a... |
| GO-2026-5023 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh serv... |
| GO-2026-5006 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | When adding a key to a remote agent constraint extensions such as restrict-de... |
| GO-2026-5017 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | A malicious SSH peer could send unsolicited global request responses to fill ... |
| GO-2026-5019 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@o... |
| GO-2026-5021 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | Previously, a revoked 'SignatureKey' belonging to a CA was not corr... |
| GO-2026-5005 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | The in-memory keyring returned by NewKeyring() silently accepted keys with th... |
| CVE-2022-45770 | High | adguard@0.107.77-r1 | arm64 amd64 | Unpatched | Improper input validation in adgnetworkwfpdrv.sys in Adguard For Windows x86 ... |
| CVE-2026-42504 | High | stdlib@go1.26.3 | arm64 amd64 | 1.25.11, 1.26.4 | Decoding a maliciously-crafted MIME header containing many invalid encoded-wo... |
| GO-2026-5038 | High | stdlib@go1.26.3 | arm64 amd64 | 1.25.11, 1.26.4 | Decoding a maliciously-crafted MIME header containing many invalid encoded-wo... |
| GO-2026-5013 | High | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | An incorrectly placed cast from bytes to int allowed for server-side panic in... |
| GO-2026-5018 | High | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | The RSA and DSA public key parsers did not enforce size limits on key paramet... |
| CVE-2026-27145 | Medium | stdlib@go1.26.3 | arm64 amd64 | 1.25.11, 1.26.4 | (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop... |
| GO-2026-5037 | Medium | stdlib@go1.26.3 | arm64 amd64 | 1.25.11, 1.26.4 | (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop... |
| CVE-2026-42507 | Medium | stdlib@go1.26.3 | arm64 amd64 | 1.25.11, 1.26.4 | When returning errors, functions in the net/textproto package would include i... |
| GO-2026-5039 | Medium | stdlib@go1.26.3 | arm64 amd64 | 1.25.11, 1.26.4 | When returning errors, functions in the net/textproto package would include i... |
| GO-2026-5033 | Medium | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | For certain crafted inputs, a 'ed25519.PrivateKey' was created by c... |
| GHSA-vvgj-x9jq-8cj9 | Medium | github.com/quic-go/quic-go@v0.59.0 | arm64 amd64 | 0.59.1 | quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion |
| GHSA-mwwc-3jv2-62j3 | Medium | github.com/AdguardTeam/AdGuardHome@v0.107.77+dirty | arm64 amd64 | 0.108.0-b.16 | AdGuardHome vulnerable to Cross-Site Request Forgery |
| GO-2026-5016 | Medium | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | An authenticated SSH client that repeatedly opened channels which were reject... |
| GO-2026-5015 | Medium | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | SSH servers which use CertChecker as a public key callback without setting Is... |
| GO-2026-5014 | Medium | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | When an SSH server authentication callback returned PartialSuccessError with ... |
bentopdf:2.8.5-r0
Clean
bitcoin-core:31.0-r4
2 Issues
bitcoin-core:31.0-r4
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| CVE-2012-4682 | Medium | bitcoin-core@31.0-r4 | arm64 amd64 | Unpatched | Unspecified vulnerability in bitcoind and Bitcoin-Qt allows attackers to caus... |
| CVE-2012-4683 | Medium | bitcoin-core@31.0-r4 | arm64 amd64 | Unpatched | Unspecified vulnerability in bitcoind and Bitcoin-Qt allows attackers to caus... |
bitcoin-knots:29.3.20260210-r4
Clean
chown:0.1.0-r1
2 Issues
chown:0.1.0-r1
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| CVE-2026-40200 | High | musl@1.2.6-r2 | arm64 amd64 | Unpatched | An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory... |
| CVE-2026-6042 | Medium | musl@1.2.6-r2 | arm64 amd64 | Unpatched | A security flaw has been discovered in musl libc up to 1.2.6. Affected is the... |
configarr:1.28.0-r0
Clean
dotnet/10:10.0.109-r1
built from dotnet-10 Clean
dotnet/9:9.0.118-r3
built from dotnet-9 Clean
dotnet/8:8.0.127-r0
built from dotnet-8 Clean
electrs:0.11.1-r2
1 Issues
electrs:0.11.1-r2
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-cq8v-f236-94qc | Low | rand@0.8.5 | arm64 amd64 | 0.8.6 | Rand is unsound with a custom logger using rand::rng() |
fulcrum:2.1.1-r2
6 Issues
fulcrum:2.1.1-r2
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| CVE-2026-11940 | High | python-3.14@3.14.6-r1 | arm64 amd64 | Unpatched | tarfile.extractall() with the 'data' or 'tar' filter cou... |
| CVE-2026-11972 | High | python-3.14@3.14.6-r1 | arm64 amd64 | Unpatched | When using the "tarfile" module with a file opened in "streami... |
| CVE-2025-15366 | Medium | python-3.14@3.14.6-r1 | arm64 amd64 | Unpatched | The imaplib module, when passed a user-controlled command, can have additiona... |
| CVE-2025-15367 | Medium | python-3.14@3.14.6-r1 | arm64 amd64 | Unpatched | The poplib module, when passed a user-controlled command, can have additional... |
| CVE-2026-12003 | Medium | python-3.14@3.14.6-r1 | arm64 amd64 | Unpatched | To allow builds of Python to be run from an in-tree layout (rather than an in... |
| CVE-2026-0864 | Medium | python-3.14@3.14.6-r1 | arm64 amd64 | Unpatched | When using the "configparser" module to write configuration files c... |
ghost:6.46.0-r0
39 Issues
ghost:6.46.0-r0
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-67hx-6x53-jw92 | Critical | babel-traverse@6.26.0 | arm64 amd64 | Unpatched | Babel vulnerable to arbitrary code execution when compiling specifically craf... |
| GHSA-35jh-r3h4-6jhm | High | lodash.template@4.5.0 | arm64 amd64 | Unpatched | Command Injection in lodash |
| GHSA-p6mc-m468-83gw | High | lodash.pick@4.4.0 | arm64 amd64 | Unpatched | Prototype Pollution in lodash |
| GHSA-pfq8-rq6v-vf5m | High | html-minifier@4.0.0 | arm64 amd64 | Unpatched | kangax html-minifier REDoS vulnerability |
| GHSA-r5fr-rjxr-66jc | High | lodash.template@4.5.0 | arm64 amd64 | 4.18.0 | lodash vulnerable to Code Injection via `_.template` imports key names |
| GHSA-4jv9-3563-23j3 | High | knex@0.20.15 | arm64 amd64 | 2.4.0 | Knex.js has a limited SQL injection vulnerability |
| GHSA-xgwh-cgv9-783v | High | @tryghost/members-csv@2.0.7 | arm64 amd64 | 5.82.0 | Ghost allows CSV Injection during member CSV export |
| GHSA-8cf7-32gw-wr33 | High | jsonwebtoken@8.5.1 | arm64 amd64 | 9.0.0 | jsonwebtoken unrestricted key type could lead to legacy keys usage |
| GHSA-vxpw-j846-p89q | High | undici@6.26.0 | arm64 amd64 | 6.27.0 | undici WebSocket client vulnerable to denial of service via fragment count by... |
| GHSA-vxpw-j846-p89q | High | undici@7.26.0 | arm64 amd64 | 7.28.0 | undici WebSocket client vulnerable to denial of service via fragment count by... |
| GHSA-vghf-hv5q-vc2g | High | validator@7.2.0 | arm64 amd64 | 13.15.22 | Validator is Vulnerable to Incomplete Filtering of One or More Instances of S... |
| GHSA-hmw2-7cc7-3qxx | High | form-data@2.5.5 | arm64 amd64 | 2.5.6 | form-data: CRLF injection in form-data via unescaped multipart field names an... |
| GHSA-hmw2-7cc7-3qxx | High | form-data@3.0.4 | arm64 amd64 | 3.0.5 | form-data: CRLF injection in form-data via unescaped multipart field names an... |
| GHSA-hmw2-7cc7-3qxx | High | form-data@4.0.5 | arm64 amd64 | 4.0.6 | form-data: CRLF injection in form-data via unescaped multipart field names an... |
| GHSA-72gw-mp4g-v24j | High | multer@2.1.1 | arm64 amd64 | 2.2.0 | Multer vulnerable to Denial of Service via deeply nested field names |
| GHSA-vmh5-mc38-953g | High | undici@7.26.0 | arm64 amd64 | 7.28.0 | undici vulnerable to TLS certificate validation bypass via dropped requestTls... |
| GHSA-hm92-r4w5-c3mj | High | undici@7.26.0 | arm64 amd64 | 7.28.0 | undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse |
| GHSA-p6gq-j5cr-w38f | High | nodemailer@8.0.10 | arm64 amd64 | 9.0.1 | Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAcc... |
| GHSA-p6gq-j5cr-w38f | High | nodemailer@8.0.11 | arm64 amd64 | 9.0.1 | Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAcc... |
| GHSA-qgmg-gppg-76g5 | Medium | validator@7.2.0 | arm64 amd64 | 13.7.0 | Inefficient Regular Expression Complexity in validator.js |
| GHSA-p8p7-x288-28g6 | Medium | request@2.88.2 | arm64 amd64 | Unpatched | Server-Side Request Forgery in Request |
| GHSA-hjrf-2m68-5959 | Medium | jsonwebtoken@8.5.1 | arm64 amd64 | 9.0.0 | jsonwebtoken's insecure implementation of key retrieval function could l... |
| GHSA-qwph-4952-7xr6 | Medium | jsonwebtoken@8.5.1 | arm64 amd64 | 9.0.0 | jsonwebtoken vulnerable to signature validation bypass due to insecure defaul... |
| GHSA-pr7r-676h-xcf6 | Medium | undici@7.26.0 | arm64 amd64 | 7.28.0 | undici vulnerable to cross-user information disclosure via shared cache white... |
| GHSA-w5hq-g745-h8pq | Medium | uuid@3.4.0 | arm64 amd64 | 11.1.1 | uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided |
| GHSA-w5hq-g745-h8pq | Medium | uuid@7.0.3 | arm64 amd64 | 11.1.1 | uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided |
| GHSA-w5hq-g745-h8pq | Medium | uuid@9.0.1 | arm64 amd64 | 11.1.1 | uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided |
| GHSA-9965-vmph-33xx | Medium | validator@7.2.0 | arm64 amd64 | 13.15.20 | validator.js has a URL validation bypass vulnerability in its isURL function |
| GHSA-3p4h-7m6x-2hcm | Medium | multer@2.1.1 | arm64 amd64 | 2.2.0 | Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads |
| GHSA-p88m-4jfj-68fv | Medium | undici@6.26.0 | arm64 amd64 | 6.27.0 | undici vulnerable to HTTP header injection via Set-Cookie percent-decoding |
| GHSA-p88m-4jfj-68fv | Medium | undici@7.26.0 | arm64 amd64 | 7.28.0 | undici vulnerable to HTTP header injection via Set-Cookie percent-decoding |
| GHSA-8988-4f7v-96qf | Medium | @opentelemetry/core@2.7.1 | arm64 amd64 | 2.8.0 | OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation |
| GHSA-vmf3-w455-68vh | Medium | tar@7.5.15 | arm64 amd64 | 7.5.16 | node-tar applies PAX size override to intermediary GNU long-name/long-link he... |
| GHSA-cmwh-pvxp-8882 | Medium | dompurify@3.4.9 | arm64 amd64 | 3.4.11 | DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the... |
| GHSA-984p-xq9m-4rjw | Medium | express-brute@1.0.1 | arm64 amd64 | Unpatched | Rate Limiting Bypass in express-brute |
| GHSA-g8m3-5g58-fq7m | Low | undici@6.26.0 | arm64 amd64 | 6.27.0 | undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive s... |
| GHSA-g8m3-5g58-fq7m | Low | undici@7.26.0 | arm64 amd64 | 7.28.0 | undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive s... |
| GHSA-35p6-xmwp-9g52 | Low | undici@6.26.0 | arm64 amd64 | 6.27.0 | undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse |
| GHSA-35p6-xmwp-9g52 | Low | undici@7.26.0 | arm64 amd64 | 7.28.0 | undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse |
go:1.26.4-r1
Clean
i2pd:2.60.0-r1
Clean
libtorrent:2.0.13-r1
Clean
lidarr:3.1.0.4875-r1
2 Issues
lidarr:3.1.0.4875-r1
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-g7hc-96xr-gvvx | Medium | MimeKit@4.14.0 | arm64 amd64 | 4.15.1 | MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Inj... |
| GHSA-9j88-vvj5-vhgr | Medium | MailKit@4.14.0 | arm64 amd64 | 4.16.0 | MailKit has STARTTLS Response Injection via unflushed stream buffer that enab... |
lnd:0.20.1_beta-r1
48 Issues
lnd:0.20.1_beta-r1
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-p77j-4mvh-x3m3 | Critical | google.golang.org/grpc@v1.59.0 | arm64 amd64 | 1.79.3 | gRPC-Go has an authorization bypass via missing leading slash in :path |
| GO-2026-5020 | Critical | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.52.0 | When writing data larger than 4GB in a single Write call on an SSH channel, a... |
| GHSA-xgrm-4fwx-7qm8 | Critical | github.com/jackc/pgx/v5@v5.7.4 | arm64 amd64 | 5.9.0 | pgx contains memory-safety vulnerability |
| GO-2026-5023 | Critical | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.52.0 | Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh serv... |
| GO-2026-5006 | Critical | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.52.0 | When adding a key to a remote agent constraint extensions such as restrict-de... |
| GHSA-9jj7-4m8r-rfcm | Critical | github.com/jackc/pgx/v5@v5.7.4 | arm64 amd64 | 5.9.0 | Memory-safety vulnerability in github.com/jackc/pgx/v5. |
| GO-2026-5017 | Critical | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.52.0 | A malicious SSH peer could send unsolicited global request responses to fill ... |
| GO-2026-5019 | Critical | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.52.0 | The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@o... |
| GO-2026-5021 | Critical | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.52.0 | Previously, a revoked 'SignatureKey' belonging to a CA was not corr... |
| GO-2026-5005 | Critical | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.52.0 | The in-memory keyring returned by NewKeyring() silently accepted keys with th... |
| GO-2026-5026 | Critical | golang.org/x/net@v0.39.0 | arm64 amd64 | 0.55.0 | The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded label... |
| GHSA-x744-4wpc-v9h2 | High | github.com/docker/docker@v28.1.1+incompatible | arm64 amd64 | 29.3.1 | Moby has AuthZ plugin bypass when provided oversized request bodies |
| GHSA-9493-h29p-rfm2 | High | github.com/opencontainers/runc@v1.1.14 | arm64 amd64 | 1.2.8 | runc container escape via "masked path" abuse due to mount race con... |
| GHSA-4f99-4q7p-p3gh | High | github.com/sirupsen/logrus@v1.9.2 | arm64 amd64 | 1.9.3 | Logrus is vulnerable to DoS when using Entry.Writer() |
| GO-2025-4116 | High | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.43.0 | SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will ... |
| GO-2026-4918 | High | golang.org/x/net@v0.39.0 | arm64 amd64 | 0.53.0 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop... |
| GHSA-qw9x-cqr3-wc7r | High | github.com/opencontainers/runc@v1.1.14 | arm64 amd64 | 1.2.8 | runc container escape with malicious config due to /dev/console mount and rel... |
| GHSA-cgrx-mc8f-2prm | High | github.com/opencontainers/runc@v1.1.14 | arm64 amd64 | 1.2.8 | runc container escape and denial of service due to arbitrary write gadgets an... |
| GHSA-p436-gjf2-799p | High | github.com/docker/cli@v28.1.1+incompatible | arm64 amd64 | 29.2.0 | Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege... |
| GO-2026-5013 | High | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.52.0 | An incorrectly placed cast from bytes to int allowed for server-side panic in... |
| GHSA-jqcq-xjh3-6g23 | High | github.com/jackc/pgproto3/v2@v2.3.3 | arm64 amd64 | Unpatched | Denial of service in github.com/jackc/pgproto3/v2 |
| GO-2026-5018 | High | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.52.0 | The RSA and DSA public key parsers did not enforce size limits on key paramet... |
| GHSA-hfvc-g4fc-pqhx | High | go.opentelemetry.io/otel/sdk@v1.35.0 | arm64 amd64 | 1.43.0 | opentelemetry-go: BSD kenv command not using absolute path enables PATH hijac... |
| GHSA-9h8m-3fm2-qjrq | High | go.opentelemetry.io/otel/sdk@v1.35.0 | arm64 amd64 | 1.40.0 | OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking |
| GHSA-x86f-5xw2-fm2r | High | github.com/docker/docker@v28.1.1+incompatible | arm64 amd64 | Unpatched | Docker: `PUT /containers/{id}/archive` executes container binary on the host |
| GHSA-rg2x-37c3-w2rh | High | github.com/docker/docker@v28.1.1+incompatible | arm64 amd64 | Unpatched | Docker: Race condition in docker cp allows bind mount redirection to host path |
| GHSA-j5w8-q4qc-rx2x | Medium | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.45.0 | golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption |
| GO-2025-4134 | Medium | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.45.0 | SSH servers parsing GSSAPI authentication requests do not validate the number... |
| GO-2026-4440 | Medium | golang.org/x/net@v0.39.0 | arm64 amd64 | 0.45.0 | The html.Parse function in golang.org/x/net/html has quadratic parsing comple... |
| GO-2026-4441 | Medium | golang.org/x/net@v0.39.0 | arm64 amd64 | 0.45.0 | The html.Parse function in golang.org/x/net/html has an infinite parsing loop... |
| GHSA-f6x5-jh6r-wrfv | Medium | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.45.0 | golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due... |
| GO-2025-4135 | Medium | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.45.0 | SSH Agent servers do not validate the size of messages when processing new id... |
| GHSA-pxq6-2prw-chj9 | Medium | github.com/docker/docker@v28.1.1+incompatible | arm64 amd64 | Unpatched | Moby has an Off-by-one error in its plugin privilege validation |
| GHSA-2464-8j7c-4cjm | Medium | github.com/go-viper/mapstructure/v2@v2.3.0 | arm64 amd64 | 2.4.0 | go-viper's mapstructure May Leak Sensitive Information in Logs When Proc... |
| GO-2026-5033 | Medium | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.52.0 | For certain crafted inputs, a 'ed25519.PrivateKey' was created by c... |
| GO-2026-5028 | Medium | golang.org/x/net@v0.39.0 | arm64 amd64 | 0.55.0 | Parsing arbitrary HTML can consume excessive CPU time, possibly leading to de... |
| GO-2026-5016 | Medium | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.52.0 | An authenticated SSH client that repeatedly opened channels which were reject... |
| GO-2026-5015 | Medium | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.52.0 | SSH servers which use CertChecker as a public key callback without setting Is... |
| GO-2026-5025 | Medium | golang.org/x/net@v0.39.0 | arm64 amd64 | 0.55.0 | Parsing arbitrary HTML which is then rendered using Render can result in an u... |
| GO-2026-5014 | Medium | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.52.0 | When an SSH server authentication callback returned PartialSuccessError with ... |
| GO-2026-5027 | Medium | golang.org/x/net@v0.39.0 | arm64 amd64 | 0.55.0 | Parsing arbitrary HTML which is then rendered using Render can result in an u... |
| GO-2026-5029 | Medium | golang.org/x/net@v0.39.0 | arm64 amd64 | 0.55.0 | Parsing arbitrary HTML which is then rendered using Render can result in an u... |
| GO-2026-5030 | Medium | golang.org/x/net@v0.39.0 | arm64 amd64 | 0.55.0 | Parsing arbitrary HTML which is then rendered using Render can result in an u... |
| GHSA-vp62-88p7-qqf5 | Medium | github.com/docker/docker@v28.1.1+incompatible | arm64 amd64 | Unpatched | Docker: Race condition in docker cp allows creation of arbitrary empty files ... |
| GHSA-xjvp-4fhw-gc47 | Medium | github.com/opencontainers/runc@v1.1.14 | arm64 amd64 | 1.3.6 | runc: Malicious image with /dev symlink can trigger limited host filesystem i... |
| GHSA-j88v-2chj-qfwx | Low | github.com/jackc/pgx/v4@v4.18.3 | arm64 amd64 | Unpatched | pgx: SQL Injection via placeholder confusion with dollar quoted string literals |
| GHSA-j88v-2chj-qfwx | Low | github.com/jackc/pgx/v5@v5.7.4 | arm64 amd64 | 5.9.2 | pgx: SQL Injection via placeholder confusion with dollar quoted string literals |
| GO-2026-5024 | Low | golang.org/x/sys@v0.32.0 | arm64 amd64 | 0.44.0 | NewNTUnicodeString does not check for string length overflow. When provided w... |
miniupnpc:2.3.3-r1
Clean
openssl:3.6.3
Clean
openssl-static:3.6.2-r0
Clean
plex:1.43.2.10687-r2
Clean
postgres/18:18.4-r6
built from postgres-18 Clean
prometheus-minimal:3.12.0-r1
13 Issues
prometheus-minimal:3.12.0-r1
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GO-2026-5020 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | When writing data larger than 4GB in a single Write call on an SSH channel, a... |
| GO-2026-5023 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh serv... |
| GO-2026-5006 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | When adding a key to a remote agent constraint extensions such as restrict-de... |
| GO-2026-5017 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | A malicious SSH peer could send unsolicited global request responses to fill ... |
| GO-2026-5019 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@o... |
| GO-2026-5021 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | Previously, a revoked 'SignatureKey' belonging to a CA was not corr... |
| GO-2026-5005 | Critical | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | The in-memory keyring returned by NewKeyring() silently accepted keys with th... |
| GO-2026-5013 | High | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | An incorrectly placed cast from bytes to int allowed for server-side panic in... |
| GO-2026-5018 | High | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | The RSA and DSA public key parsers did not enforce size limits on key paramet... |
| GO-2026-5033 | Medium | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | For certain crafted inputs, a 'ed25519.PrivateKey' was created by c... |
| GO-2026-5016 | Medium | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | An authenticated SSH client that repeatedly opened channels which were reject... |
| GO-2026-5015 | Medium | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | SSH servers which use CertChecker as a public key callback without setting Is... |
| GO-2026-5014 | Medium | golang.org/x/crypto@v0.51.0 | arm64 amd64 | 0.52.0 | When an SSH server authentication callback returned PartialSuccessError with ... |
prowlarr:2.4.0.5397-r2
Clean
qbittorrent:5.2.2-r1
Clean
qt-minimal:6.11.1-r1
Clean
radarr:6.2.1.10461-r0
Clean
rocksdb/11:11.1.1-r0
built from rocksdb-11 Clean
rocksdb/10:10.10.1-r2
built from rocksdb-10 Clean
seerr:3.3.0-r3
105 Issues
seerr:3.3.0-r3
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-2w6w-674q-4c4q | Critical | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has JavaScript Injection via AST Type Confusion |
| GHSA-r5fr-rjxr-66jc | High | lodash-es@4.17.23 | arm64 amd64 | 4.18.0 | lodash vulnerable to Code Injection via `_.template` imports key names |
| GHSA-xhpv-hc6g-r9c6 | High | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has JavaScript Injection via AST Type Confusion when passing an... |
| GHSA-3mfm-83xf-c92r | High | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @p... |
| GHSA-qpx9-hpmf-5gmw | High | underscore@1.13.7 | arm64 amd64 | 1.13.8 | Underscore has unlimited recursion in _.flatten and _.isEqual, potential for ... |
| GHSA-pjwm-pj3p-43mv | High | axios@1.15.0 | arm64 amd64 | 1.16.0 | axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses,... |
| GHSA-3ppc-4f35-3m26 | High | minimatch@9.0.5 | arm64 amd64 | 9.0.6 | minimatch has a ReDoS via repeated wildcards with non-matching literal in pat... |
| GHSA-34x7-hfp2-rc4v | High | tar@6.2.1 | arm64 amd64 | 7.5.7 | node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Tr... |
| GHSA-9cx6-37pm-9jff | High | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has Denial of Service via Malformed Decorator Syntax in Templat... |
| GHSA-35jp-ww65-95wh | High | axios@1.15.0 | arm64 amd64 | 1.16.0 | axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in ... |
| GHSA-7r86-cg39-jmmj | High | minimatch@9.0.5 | arm64 amd64 | 9.0.7 | minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-a... |
| GHSA-23c5-xmqv-rm74 | High | minimatch@9.0.5 | arm64 amd64 | 9.0.7 | minimatch ReDoS: nested *() extglobs generate catastrophically backtracking r... |
| GHSA-vxpw-j846-p89q | High | undici@6.25.0 | arm64 amd64 | 6.27.0 | undici WebSocket client vulnerable to denial of service via fragment count by... |
| GHSA-vxpw-j846-p89q | High | undici@8.1.0 | arm64 amd64 | 8.5.0 | undici WebSocket client vulnerable to denial of service via fragment count by... |
| GHSA-38rv-x7px-6hhq | High | undici@8.1.0 | arm64 amd64 | 8.5.0 | undici WebSocket client vulnerable to denial of service via cumulative fragme... |
| GHSA-q8qp-cvcw-x6jj | High | axios@1.15.0 | arm64 amd64 | 1.15.2 | Axios has prototype pollution read-side gadgets in HTTP adapter that allow cr... |
| GHSA-rcmh-qjqh-p98v | High | nodemailer@6.10.0 | arm64 amd64 | 7.0.11 | Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls |
| GHSA-rcmh-qjqh-p98v | High | nodemailer@6.9.16 | arm64 amd64 | 7.0.11 | Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls |
| GHSA-p92q-9vqr-4j8v | High | axios@1.15.0 | arm64 amd64 | 1.16.0 | Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HT... |
| GHSA-pmwg-cvhr-8vh7 | High | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via R... |
| GHSA-q3j6-qgpj-74h6 | High | fast-uri@3.1.0 | arm64 amd64 | 3.1.1 | fast-uri vulnerable to path traversal via percent-encoded dot segments |
| GHSA-6chq-wfr3-2hj9 | High | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: Header Injection via Prototype Pollution |
| GHSA-pf86-5x62-jrwf | High | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, a... |
| GHSA-hfxv-24rg-xrqf | High | axios@1.15.0 | arm64 amd64 | 1.16.0 | Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection |
| GHSA-777c-7fjr-54vf | High | axios@1.15.0 | arm64 amd64 | 1.16.0 | Allocation of Resources Without Limits or Throttling in Axios |
| GHSA-hmw2-7cc7-3qxx | High | form-data@4.0.5 | arm64 amd64 | 4.0.6 | form-data: CRLF injection in form-data via unescaped multipart field names an... |
| GHSA-8qq5-rm4j-mr97 | High | tar@6.2.1 | arm64 amd64 | 7.5.3 | node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via ... |
| GHSA-j5f8-grm9-p9fc | High | axios@1.15.0 | arm64 amd64 | 1.16.0 | Axios: Proxy-Authorization header leaks to redirect target when proxy is re-e... |
| GHSA-xjpj-3mr7-gcpf | High | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names... |
| GHSA-qffp-2rhf-9h96 | High | tar@6.2.1 | arm64 amd64 | 7.5.10 | tar has Hardlink Path Traversal via Drive-Relative Linkpath |
| GHSA-83g3-92jg-28cx | High | tar@6.2.1 | arm64 amd64 | 7.5.8 | Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in... |
| GHSA-72gw-mp4g-v24j | High | multer@2.1.1 | arm64 amd64 | 2.2.0 | Multer vulnerable to Denial of Service via deeply nested field names |
| GHSA-v39h-62p7-jpjc | High | fast-uri@3.1.0 | arm64 amd64 | 3.1.2 | fast-uri vulnerable to host confusion via percent-encoded authority delimiters |
| GHSA-vmh5-mc38-953g | High | undici@8.1.0 | arm64 amd64 | 8.5.0 | undici vulnerable to TLS certificate validation bypass via dropped requestTls... |
| GHSA-9ppj-qmqm-q256 | High | tar@6.2.1 | arm64 amd64 | 7.5.11 | node-tar Symlink Path Traversal via Drive-Relative Linkpath |
| GHSA-hm92-r4w5-c3mj | High | undici@8.1.0 | arm64 amd64 | 8.2.0 | undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse |
| GHSA-3g43-6gmg-66jw | High | axios@1.15.0 | arm64 amd64 | 1.15.2 | axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pol... |
| GHSA-r6q2-hw4h-h46w | High | tar@6.2.1 | arm64 amd64 | 7.5.4 | Race Condition in node-tar Path Reservations via Unicode Ligature Collisions ... |
| GHSA-fv7c-fp4j-7gwp | High | @babel/plugin-transform-modules-systemjs@7.24.7 | arm64 amd64 | 7.29.4 | @babel/plugin-transform-modules-systemjs generates arbitrary code when compil... |
| GHSA-22p9-wv53-3rq4 | High | linkify-it@5.0.0 | arm64 amd64 | 5.0.1 | LinkifyIt#match scan loop has quadratic algorithmic complexity |
| GHSA-p6gq-j5cr-w38f | High | nodemailer@6.10.0 | arm64 amd64 | 9.0.1 | Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAcc... |
| GHSA-p6gq-j5cr-w38f | High | nodemailer@6.9.16 | arm64 amd64 | 9.0.1 | Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAcc... |
| GHSA-p6gq-j5cr-w38f | High | nodemailer@7.0.12 | arm64 amd64 | 9.0.1 | Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAcc... |
| GHSA-p6gq-j5cr-w38f | High | nodemailer@8.0.5 | arm64 amd64 | 9.0.1 | Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAcc... |
| GHSA-mm7p-fcc7-pg87 | Medium | nodemailer@6.10.0 | arm64 amd64 | 7.0.7 | Nodemailer: Email to an unintended domain can occur due to Interpretation Con... |
| GHSA-mm7p-fcc7-pg87 | Medium | nodemailer@6.9.16 | arm64 amd64 | 7.0.7 | Nodemailer: Email to an unintended domain can occur due to Interpretation Con... |
| GHSA-62hf-57xw-28j9 | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: unbounded recursion in toFormData causes DoS via deeply nested request... |
| GHSA-f886-m6hf-6m8v | Medium | brace-expansion@1.1.12 | arm64 amd64 | 1.1.13 | brace-expansion: Zero-step sequence causes process hang and memory exhaustion |
| GHSA-f886-m6hf-6m8v | Medium | brace-expansion@2.0.2 | arm64 amd64 | 2.0.3 | brace-expansion: Zero-step sequence causes process hang and memory exhaustion |
| GHSA-f886-m6hf-6m8v | Medium | brace-expansion@5.0.4 | arm64 amd64 | 5.0.5 | brace-expansion: Zero-step sequence causes process hang and memory exhaustion |
| GHSA-378v-28hj-76wf | Medium | bn.js@4.12.2 | arm64 amd64 | 4.12.3 | bn.js affected by an infinite loop |
| GHSA-48c2-rrv3-qjmp | Medium | yaml@1.10.2 | arm64 amd64 | 1.10.3 | yaml is vulnerable to Stack Overflow via deeply nested YAML collections |
| GHSA-vf2m-468p-8v99 | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: HTTP adapter streamed responses bypass maxContentLength |
| GHSA-pr7r-676h-xcf6 | Medium | undici@8.1.0 | arm64 amd64 | 8.5.0 | undici vulnerable to cross-user information disclosure via shared cache white... |
| GHSA-w5hq-g745-h8pq | Medium | uuid@9.0.1 | arm64 amd64 | 11.1.1 | uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided |
| GHSA-q8mj-m7cp-5q26 | Medium | qs@6.14.1 | arm64 amd64 | 6.15.2 | qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on nul... |
| GHSA-f23m-r3pf-42rh | Medium | lodash-es@4.17.23 | arm64 amd64 | 4.18.0 | lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` a... |
| GHSA-m7pr-hjqh-92cm | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: no_proxy bypass via IP alias allows SSRF |
| GHSA-5c9x-8gcm-mpgx | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedire... |
| GHSA-jxxr-4gwj-5jf2 | Medium | brace-expansion@5.0.4 | arm64 amd64 | 5.0.6 | brace-expansion: Large numeric range defeats documented `max` DoS protection |
| GHSA-3w6x-2g7m-8v23 | Medium | axios@1.15.0 | arm64 amd64 | 1.15.2 | Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `p... |
| GHSA-3p4h-7m6x-2hcm | Medium | multer@2.1.1 | arm64 amd64 | 2.2.0 | Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads |
| GHSA-w9j2-pvgh-6h63 | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatu... |
| GHSA-898c-q2cr-xwhg | Medium | axios@1.15.0 | arm64 amd64 | 1.16.0 | axios has DoS & Header Injection via Prototype Pollution Read-Side Gadget... |
| GHSA-p88m-4jfj-68fv | Medium | undici@6.25.0 | arm64 amd64 | 6.27.0 | undici vulnerable to HTTP header injection via Set-Cookie percent-decoding |
| GHSA-p88m-4jfj-68fv | Medium | undici@8.1.0 | arm64 amd64 | 8.5.0 | undici vulnerable to HTTP header injection via Set-Cookie percent-decoding |
| GHSA-h67p-54hq-rp68 | Medium | js-yaml@4.1.1 | arm64 amd64 | 4.2.0 | JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases |
| GHSA-v2v4-37r5-5v8g | Medium | ip-address@10.1.0 | arm64 amd64 | 10.1.1 | ip-address has XSS in Address6 HTML-emitting methods |
| GHSA-v2v4-37r5-5v8g | Medium | ip-address@9.0.5 | arm64 amd64 | 10.1.1 | ip-address has XSS in Address6 HTML-emitting methods |
| GHSA-445q-vr5w-6q77 | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type i... |
| GHSA-xx6v-rp6x-q39c | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `wit... |
| GHSA-qx2v-qp2m-jg93 | Medium | postcss@8.4.31 | arm64 amd64 | 8.5.10 | PostCSS has XSS via Unescaped </style> in its CSS Stringify Output |
| GHSA-2qvq-rjwj-gvw9 | Medium | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has Prototype Pollution Leading to XSS through Partial Template... |
| GHSA-vmf3-w455-68vh | Medium | tar@6.2.1 | arm64 amd64 | 7.5.16 | node-tar applies PAX size override to intermediary GNU long-name/long-link he... |
| GHSA-vmf3-w455-68vh | Medium | tar@7.5.13 | arm64 amd64 | 7.5.16 | node-tar applies PAX size override to intermediary GNU long-name/long-link he... |
| GHSA-7rx3-28cr-v5wh | Medium | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupS... |
| GHSA-268h-hp4c-crq3 | Medium | nodemailer@6.10.0 | arm64 amd64 | 8.0.9 | Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitr... |
| GHSA-r7g4-qg5f-qqm2 | Medium | nodemailer@6.10.0 | arm64 amd64 | 8.0.8 | Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables... |
| GHSA-vvjj-xcjg-gr5g | Medium | nodemailer@6.10.0 | arm64 amd64 | 8.0.5 | Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Op... |
| GHSA-wqvq-jvpq-h66f | Medium | nodemailer@6.10.0 | arm64 amd64 | 8.0.9 | Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess duri... |
| GHSA-268h-hp4c-crq3 | Medium | nodemailer@6.9.16 | arm64 amd64 | 8.0.9 | Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitr... |
| GHSA-r7g4-qg5f-qqm2 | Medium | nodemailer@6.9.16 | arm64 amd64 | 8.0.8 | Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables... |
| GHSA-vvjj-xcjg-gr5g | Medium | nodemailer@6.9.16 | arm64 amd64 | 8.0.5 | Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Op... |
| GHSA-wqvq-jvpq-h66f | Medium | nodemailer@6.9.16 | arm64 amd64 | 8.0.9 | Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess duri... |
| GHSA-268h-hp4c-crq3 | Medium | nodemailer@7.0.12 | arm64 amd64 | 8.0.9 | Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitr... |
| GHSA-r7g4-qg5f-qqm2 | Medium | nodemailer@7.0.12 | arm64 amd64 | 8.0.8 | Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables... |
| GHSA-vvjj-xcjg-gr5g | Medium | nodemailer@7.0.12 | arm64 amd64 | 8.0.5 | Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Op... |
| GHSA-wqvq-jvpq-h66f | Medium | nodemailer@7.0.12 | arm64 amd64 | 8.0.9 | Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess duri... |
| GHSA-268h-hp4c-crq3 | Medium | nodemailer@8.0.5 | arm64 amd64 | 8.0.9 | Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitr... |
| GHSA-r7g4-qg5f-qqm2 | Medium | nodemailer@8.0.5 | arm64 amd64 | 8.0.8 | Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables... |
| GHSA-wqvq-jvpq-h66f | Medium | nodemailer@8.0.5 | arm64 amd64 | 8.0.9 | Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess duri... |
| GHSA-9h5v-pfqq-x599 | Medium | ua-parser-js@2.0.9 | arm64 amd64 | 2.0.10 | UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withCl... |
| GHSA-w7fw-mjwx-w883 | Low | qs@6.14.1 | arm64 amd64 | 6.14.2 | qs's arrayLimit bypass in comma parsing allows denial of service |
| GHSA-7gmj-h9xc-mcxc | Low | mailparser@3.7.2 | arm64 amd64 | 3.9.3 | mailparser vulnerable to Cross-site Scripting |
| GHSA-g8m3-5g58-fq7m | Low | undici@6.25.0 | arm64 amd64 | 6.27.0 | undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive s... |
| GHSA-g8m3-5g58-fq7m | Low | undici@8.1.0 | arm64 amd64 | 8.5.0 | undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive s... |
| GHSA-35p6-xmwp-9g52 | Low | undici@6.25.0 | arm64 amd64 | 6.27.0 | undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse |
| GHSA-35p6-xmwp-9g52 | Low | undici@8.1.0 | arm64 amd64 | 8.5.0 | undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse |
| GHSA-xhjh-pmcv-23jw | Low | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams |
| GHSA-4x5r-pxfx-6jf8 | Low | @babel/core@7.29.0 | arm64 amd64 | 7.29.6 | @babel/core: Arbitrary File Read via sourceMappingURL Comment |
| GHSA-vpq2-c234-7xj6 | Low | @tootallnate/once@1.1.2 | arm64 amd64 | 2.0.1 | @tootallnate/once vulnerable to Incorrect Control Flow Scoping |
| GHSA-442j-39wm-28r2 | Low | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has a Property Access Validation Bypass in container.lookup |
| GHSA-c7w3-x93f-qmm8 | Low | nodemailer@6.10.0 | arm64 amd64 | 8.0.4 | Nodemailer has SMTP command injection due to unsanitized `envelope.size` para... |
| GHSA-c7w3-x93f-qmm8 | Low | nodemailer@6.9.16 | arm64 amd64 | 8.0.4 | Nodemailer has SMTP command injection due to unsanitized `envelope.size` para... |
| GHSA-c7w3-x93f-qmm8 | Low | nodemailer@7.0.12 | arm64 amd64 | 8.0.4 | Nodemailer has SMTP command injection due to unsanitized `envelope.size` para... |
sonarr:4.0.19.2979-r0
3 Issues
sonarr:4.0.19.2979-r0
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-8g4q-xg66-9fp4 | High | System.Text.Json@6.0.9 | arm64 amd64 | 6.0.10 | Microsoft Security Advisory CVE-2024-43485 | .NET Denial of Service Vulnerabi... |
| GHSA-59j7-ghrg-fj52 | Medium | Microsoft.IdentityModel.JsonWebTokens@6.8.0 | arm64 amd64 | 6.34.0 | Microsoft ASP.NET Core project templates vulnerable to denial of service |
| GHSA-59j7-ghrg-fj52 | Medium | System.IdentityModel.Tokens.Jwt@6.8.0 | arm64 amd64 | 6.34.0 | Microsoft ASP.NET Core project templates vulnerable to denial of service |
sqlite:3.53.3
Clean
tautulli:2.17.2-r0
6 Issues
tautulli:2.17.2-r0
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| CVE-2026-11940 | High | python-3.14@3.14.6-r1 | arm64 amd64 | Unpatched | tarfile.extractall() with the 'data' or 'tar' filter cou... |
| CVE-2026-11972 | High | python-3.14@3.14.6-r1 | arm64 amd64 | Unpatched | When using the "tarfile" module with a file opened in "streami... |
| CVE-2025-15366 | Medium | python-3.14@3.14.6-r1 | arm64 amd64 | Unpatched | The imaplib module, when passed a user-controlled command, can have additiona... |
| CVE-2025-15367 | Medium | python-3.14@3.14.6-r1 | arm64 amd64 | Unpatched | The poplib module, when passed a user-controlled command, can have additional... |
| CVE-2026-12003 | Medium | python-3.14@3.14.6-r1 | arm64 amd64 | Unpatched | To allow builds of Python to be run from an in-tree layout (rather than an in... |
| CVE-2026-0864 | Medium | python-3.14@3.14.6-r1 | arm64 amd64 | Unpatched | When using the "configparser" module to write configuration files c... |
tor:0.4.9.5-r1
Clean
vaultwarden:1.36.0-r3
6 Issues
vaultwarden:1.36.0-r3
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-xp3w-r5p5-63rr | High | openssl@0.10.78 | arm64 amd64 | 0.10.79 | rust-openssl has undefined behavior in X509Ref::ocsp_responders for certifica... |
| GHSA-82j2-j2ch-gfr8 | High | rustls-webpki@0.101.7 | arm64 amd64 | 0.103.13 | rustls-webpki: Denial of service via panic on malformed CRL BIT STRING |
| GHSA-xv59-967r-8726 | Medium | openssl@0.10.78 | arm64 amd64 | 0.10.79 | rust-openssl vulnerable to heap buffer overflow when encrypting with AES key-... |
| GHSA-phqj-4mhp-q6mq | Medium | openssl@0.10.78 | arm64 amd64 | 0.10.80 | rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_i... |
| GHSA-965h-392x-2mh5 | Low | rustls-webpki@0.101.7 | arm64 amd64 | 0.103.12 | webpki: Name constraints for URI names were incorrectly accepted |
| GHSA-xgp8-3hg3-c2mh | Low | rustls-webpki@0.101.7 | arm64 amd64 | 0.103.12 | webpki: Name constraints were accepted for certificates asserting a wildcard ... |