VegOps Security Dashboard
$ scanned 33 releases | 2026-05-10 06:31 UTC
adguard:0.107.74-r1
13 Issues
adguard:0.107.74-r1
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| CVE-2022-45770 | High | adguard@0.107.74-r1 | arm64 amd64 | Unpatched | Improper input validation in adgnetworkwfpdrv.sys in Adguard For Windows x86 ... |
| CVE-2026-39820 | High | stdlib@go1.26.2 | arm64 amd64 | 1.25.10, 1.26.3 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate we... |
| CVE-2026-42499 | High | stdlib@go1.26.2 | arm64 amd64 | 1.25.10, 1.26.3 | Pathological inputs could cause DoS through consumePhrase when parsing an ema... |
| CVE-2026-33814 | High | stdlib@go1.26.2 | arm64 amd64 | 1.25.10, 1.26.3 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop... |
| CVE-2026-33811 | High | stdlib@go1.26.2 | arm64 amd64 | 1.25.10, 1.26.3 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response ... |
| CVE-2026-39836 | High | stdlib@go1.26.2 | arm64 amd64 | 1.25.10, 1.26.3 | The Dial and LookupPort functions panic on Windows when provided with an inpu... |
| CVE-2026-42501 | High | stdlib@go1.26.2 | arm64 amd64 | 1.25.10, 1.26.3 | A malicious module proxy can exploit a flaw in the go command's validati... |
| GHSA-mwwc-3jv2-62j3 | Medium | github.com/AdguardTeam/AdGuardHome@v0.107.74+dirty | arm64 amd64 | 0.108.0-b.16 | AdGuardHome vulnerable to Cross-Site Request Forgery |
| CVE-2026-39817 | Medium | stdlib@go1.26.2 | arm64 amd64 | 1.25.10, 1.26.3 | The "go tool pack" subcommand (usually used only by the compiler as... |
| CVE-2026-39826 | Medium | stdlib@go1.26.2 | arm64 amd64 | 1.25.10, 1.26.3 | If a trusted template author were to write a <script> tag containing an... |
| CVE-2026-39823 | Medium | stdlib@go1.26.2 | arm64 amd64 | 1.25.10, 1.26.3 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped... |
| CVE-2026-39819 | Medium | stdlib@go1.26.2 | arm64 amd64 | 1.25.10, 1.26.3 | The "go bug" command writes to two files with predictable names in ... |
| CVE-2026-39825 | Medium | stdlib@go1.26.2 | arm64 amd64 | 1.25.10, 1.26.3 | ReverseProxy can forward queries containing parameters not visible to Rewrite... |
bitcoin-core:31.0-r1
2 Issues
bitcoin-core:31.0-r1
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| CVE-2012-4683 | Medium | bitcoin-core@31.0-r1 | arm64 amd64 | Unpatched | Unspecified vulnerability in bitcoind and Bitcoin-Qt allows attackers to caus... |
| CVE-2012-4682 | Medium | bitcoin-core@31.0-r1 | arm64 amd64 | Unpatched | Unspecified vulnerability in bitcoind and Bitcoin-Qt allows attackers to caus... |
bitcoin-knots:29.3.20260210-r1
Clean
chown:0.1.0-r0
Clean
dotnet/10:10.0.107-r0
built from dotnet-10 Clean
dotnet/9:9.0.116-r0
built from dotnet-9 Clean
dotnet/8:8.0.126-r0
built from dotnet-8 Clean
electrs:0.11.1-r1
Clean
fulcrum:2.1.1-r1
3 Issues
fulcrum:2.1.1-r1
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| CVE-2025-15366 | Medium | python-3.14@3.14.4-r4 | arm64 amd64 | Unpatched | The imaplib module, when passed a user-controlled command, can have additiona... |
| CVE-2025-15367 | Medium | python-3.14@3.14.4-r4 | arm64 amd64 | Unpatched | The poplib module, when passed a user-controlled command, can have additional... |
| CVE-2025-12781 | Medium | python-3.14@3.14.4-r4 | arm64 amd64 | Unpatched | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64de... |
ghost:6.37.0-r2
21 Issues
ghost:6.37.0-r2
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-67hx-6x53-jw92 | Critical | babel-traverse@6.26.0 | arm64 amd64 | Unpatched | Babel vulnerable to arbitrary code execution when compiling specifically craf... |
| GHSA-35jh-r3h4-6jhm | High | lodash.template@4.5.0 | arm64 amd64 | Unpatched | Command Injection in lodash |
| GHSA-p6mc-m468-83gw | High | lodash.pick@4.4.0 | arm64 amd64 | Unpatched | Prototype Pollution in lodash |
| GHSA-pfq8-rq6v-vf5m | High | html-minifier@4.0.0 | arm64 amd64 | Unpatched | kangax html-minifier REDoS vulnerability |
| GHSA-xgwh-cgv9-783v | High | @tryghost/members-csv@2.0.7 | arm64 amd64 | 5.82.0 | Ghost allows CSV Injection during member CSV export |
| GHSA-vghf-hv5q-vc2g | High | validator@13.12.0 | arm64 amd64 | 13.15.22 | Validator is Vulnerable to Incomplete Filtering of One or More Instances of S... |
| GHSA-vghf-hv5q-vc2g | High | validator@7.2.0 | arm64 amd64 | 13.15.22 | Validator is Vulnerable to Incomplete Filtering of One or More Instances of S... |
| GHSA-4jv9-3563-23j3 | High | knex@0.20.15 | arm64 amd64 | 2.4.0 | Knex.js has a limited SQL injection vulnerability |
| GHSA-8cf7-32gw-wr33 | High | jsonwebtoken@8.5.1 | arm64 amd64 | 9.0.0 | jsonwebtoken unrestricted key type could lead to legacy keys usage |
| GHSA-r5fr-rjxr-66jc | High | lodash.template@4.5.0 | arm64 amd64 | 4.18.0 | lodash vulnerable to Code Injection via `_.template` imports key names |
| GHSA-q3j6-qgpj-74h6 | High | fast-uri@3.1.0 | arm64 amd64 | 3.1.1 | fast-uri vulnerable to path traversal via percent-encoded dot segments |
| GHSA-v39h-62p7-jpjc | High | fast-uri@3.1.0 | arm64 amd64 | 3.1.2 | fast-uri vulnerable to host confusion via percent-encoded authority delimiters |
| GHSA-p8p7-x288-28g6 | Medium | request@2.88.2 | arm64 amd64 | Unpatched | Server-Side Request Forgery in Request |
| GHSA-hjrf-2m68-5959 | Medium | jsonwebtoken@8.5.1 | arm64 amd64 | 9.0.0 | jsonwebtoken's insecure implementation of key retrieval function could l... |
| GHSA-9965-vmph-33xx | Medium | validator@13.12.0 | arm64 amd64 | 13.15.20 | validator.js has a URL validation bypass vulnerability in its isURL function |
| GHSA-9965-vmph-33xx | Medium | validator@7.2.0 | arm64 amd64 | 13.15.20 | validator.js has a URL validation bypass vulnerability in its isURL function |
| GHSA-qgmg-gppg-76g5 | Medium | validator@7.2.0 | arm64 amd64 | 13.7.0 | Inefficient Regular Expression Complexity in validator.js |
| GHSA-qx2v-qp2m-jg93 | Medium | postcss@8.5.6 | arm64 amd64 | 8.5.10 | PostCSS has XSS via Unescaped </style> in its CSS Stringify Output |
| GHSA-5v7r-6r5c-r473 | Medium | file-type@16.5.4 | arm64 amd64 | 21.3.1 | file-type affected by infinite loop in ASF parser on malformed input with zer... |
| GHSA-qwph-4952-7xr6 | Medium | jsonwebtoken@8.5.1 | arm64 amd64 | 9.0.0 | jsonwebtoken vulnerable to signature validation bypass due to insecure defaul... |
| GHSA-984p-xq9m-4rjw | Medium | express-brute@1.0.1 | arm64 amd64 | Unpatched | Rate Limiting Bypass in express-brute |
go:1.26.3-r1
Clean
i2pd:2.60.0-r0
Clean
libtorrent:2.0.12-r0
Clean
lidarr:3.1.0.4875-r0
2 Issues
lidarr:3.1.0.4875-r0
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-g7hc-96xr-gvvx | Medium | MimeKit@4.14.0 | arm64 amd64 | 4.15.1 | MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Inj... |
| GHSA-9j88-vvj5-vhgr | Medium | MailKit@4.14.0 | arm64 amd64 | 4.16.0 | MailKit has STARTTLS Response Injection via unflushed stream buffer that enab... |
lnd:0.20.1_beta-r0
17 Issues
lnd:0.20.1_beta-r0
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-9jj7-4m8r-rfcm | Critical | github.com/jackc/pgx/v5@v5.7.4 | arm64 amd64 | 5.9.0 | Memory-safety vulnerability in github.com/jackc/pgx/v5. |
| GHSA-p77j-4mvh-x3m3 | Critical | google.golang.org/grpc@v1.59.0 | arm64 amd64 | 1.79.3 | gRPC-Go has an authorization bypass via missing leading slash in :path |
| GHSA-jqcq-xjh3-6g23 | High | github.com/jackc/pgproto3/v2@v2.3.3 | arm64 amd64 | Unpatched | Denial of service in github.com/jackc/pgproto3/v2 |
| GHSA-4f99-4q7p-p3gh | High | github.com/sirupsen/logrus@v1.9.2 | arm64 amd64 | 1.9.3 | Logrus is vulnerable to DoS when using Entry.Writer() |
| GHSA-qw9x-cqr3-wc7r | High | github.com/opencontainers/runc@v1.1.14 | arm64 amd64 | 1.2.8 | runc container escape with malicious config due to /dev/console mount and rel... |
| GHSA-p436-gjf2-799p | High | github.com/docker/cli@v28.1.1+incompatible | arm64 amd64 | 29.2.0 | Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege... |
| GHSA-9493-h29p-rfm2 | High | github.com/opencontainers/runc@v1.1.14 | arm64 amd64 | 1.2.8 | runc container escape via "masked path" abuse due to mount race con... |
| GHSA-cgrx-mc8f-2prm | High | github.com/opencontainers/runc@v1.1.14 | arm64 amd64 | 1.2.8 | runc container escape and denial of service due to arbitrary write gadgets an... |
| GHSA-9h8m-3fm2-qjrq | High | go.opentelemetry.io/otel/sdk@v1.35.0 | arm64 amd64 | 1.40.0 | OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking |
| GHSA-x744-4wpc-v9h2 | High | github.com/docker/docker@v28.1.1+incompatible | arm64 amd64 | Unpatched | Moby has AuthZ plugin bypass when provided oversized request bodies |
| GHSA-hfvc-g4fc-pqhx | High | go.opentelemetry.io/otel/sdk@v1.35.0 | arm64 amd64 | 1.43.0 | opentelemetry-go: BSD kenv command not using absolute path enables PATH hijac... |
| GHSA-j5w8-q4qc-rx2x | Medium | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.45.0 | golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption |
| GHSA-pxq6-2prw-chj9 | Medium | github.com/docker/docker@v28.1.1+incompatible | arm64 amd64 | Unpatched | Moby has an Off-by-one error in its plugin privilege validation |
| GHSA-f6x5-jh6r-wrfv | Medium | golang.org/x/crypto@v0.37.0 | arm64 amd64 | 0.45.0 | golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due... |
| GHSA-2464-8j7c-4cjm | Medium | github.com/go-viper/mapstructure/v2@v2.3.0 | arm64 amd64 | 2.4.0 | go-viper's mapstructure May Leak Sensitive Information in Logs When Proc... |
| GHSA-j88v-2chj-qfwx | Low | github.com/jackc/pgx/v4@v4.18.3 | arm64 amd64 | Unpatched | pgx: SQL Injection via placeholder confusion with dollar quoted string literals |
| GHSA-j88v-2chj-qfwx | Low | github.com/jackc/pgx/v5@v5.7.4 | arm64 amd64 | 5.9.2 | pgx: SQL Injection via placeholder confusion with dollar quoted string literals |
miniupnpc:2.3.3-r0
Clean
openssl:3.6.2
Clean
openssl-static:3.6.1-r0
Clean
plex:1.43.1.10611-r0
Clean
postgres/18:18.3-r6
built from postgres-18 Clean
prometheus-minimal:3.11.3-r0
5 Issues
prometheus-minimal:3.11.3-r0
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-6g7g-w4f8-9c9x | High | github.com/buger/jsonparser@v1.1.1 | arm64 amd64 | 1.1.2 | github.com/buger/jsonparser has a denial of service vulnerability |
| GHSA-x744-4wpc-v9h2 | High | github.com/docker/docker@v28.5.2+incompatible | arm64 amd64 | Unpatched | Moby has AuthZ plugin bypass when provided oversized request bodies |
| GHSA-hfvc-g4fc-pqhx | High | go.opentelemetry.io/otel/sdk@v1.42.0 | arm64 amd64 | 1.43.0 | opentelemetry-go: BSD kenv command not using absolute path enables PATH hijac... |
| GHSA-pxq6-2prw-chj9 | Medium | github.com/docker/docker@v28.5.2+incompatible | arm64 amd64 | Unpatched | Moby has an Off-by-one error in its plugin privilege validation |
| GHSA-w8rr-5gcm-pp58 | Medium | go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v1.42.0 | arm64 amd64 | 1.43.0 | opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies |
prowlarr:2.3.0.5236-r1
2 Issues
prowlarr:2.3.0.5236-r1
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-g7hc-96xr-gvvx | Medium | MimeKit@4.14.0 | arm64 amd64 | 4.15.1 | MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Inj... |
| GHSA-9j88-vvj5-vhgr | Medium | MailKit@4.14.0 | arm64 amd64 | 4.16.0 | MailKit has STARTTLS Response Injection via unflushed stream buffer that enab... |
qbittorrent:5.2.0-r0
Clean
qt-minimal:6.11.0-r0
Clean
radarr:6.0.4.10291-r1
2 Issues
radarr:6.0.4.10291-r1
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-g7hc-96xr-gvvx | Medium | MimeKit@4.13.0 | arm64 amd64 | 4.15.1 | MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Inj... |
| GHSA-9j88-vvj5-vhgr | Medium | MailKit@4.13.0 | arm64 amd64 | 4.16.0 | MailKit has STARTTLS Response Injection via unflushed stream buffer that enab... |
rocksdb/11:11.0.4-r0
built from rocksdb-11 Clean
rocksdb/10:10.10.1-r1
built from rocksdb-10 Clean
seerr:3.2.0-r1
89 Issues
seerr:3.2.0-r1
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-2w6w-674q-4c4q | Critical | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has JavaScript Injection via AST Type Confusion |
| GHSA-g5hg-p3ph-g8qg | High | multer@1.4.5-lts.1 | arm64 amd64 | 2.0.1 | Multer vulnerable to Denial of Service via unhandled exception |
| GHSA-v9p9-hfj2-hcw8 | High | undici@7.18.2 | arm64 amd64 | 7.24.0 | Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_... |
| GHSA-rcmh-qjqh-p98v | High | nodemailer@6.10.0 | arm64 amd64 | 7.0.11 | Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls |
| GHSA-rcmh-qjqh-p98v | High | nodemailer@6.9.16 | arm64 amd64 | 7.0.11 | Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls |
| GHSA-44fp-w29j-9vj5 | High | multer@1.4.5-lts.1 | arm64 amd64 | 2.0.0 | Multer vulnerable to Denial of Service via memory leaks from unclosed streams |
| GHSA-f269-vfmq-vjvj | High | undici@7.18.2 | arm64 amd64 | 7.24.0 | Undici: Malicious WebSocket 64-bit length overflows parser and crashes the cl... |
| GHSA-pf86-5x62-jrwf | High | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, a... |
| GHSA-6chq-wfr3-2hj9 | High | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: Header Injection via Prototype Pollution |
| GHSA-9cx6-37pm-9jff | High | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has Denial of Service via Malformed Decorator Syntax in Templat... |
| GHSA-5528-5vmv-3xc2 | High | multer@1.4.5-lts.1 | arm64 amd64 | 2.1.1 | Multer Vulnerable to Denial of Service via Uncontrolled Recursion |
| GHSA-37ch-88jc-xwx2 | High | path-to-regexp@0.1.12 | arm64 amd64 | 0.1.13 | path-to-regexp vulnerable to Regular Expression Denial of Service via multipl... |
| GHSA-3mfm-83xf-c92r | High | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @p... |
| GHSA-pmwg-cvhr-8vh7 | High | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via R... |
| GHSA-4pg4-qvpc-4q3h | High | multer@1.4.5-lts.1 | arm64 amd64 | 2.0.0 | Multer vulnerable to Denial of Service from maliciously crafted requests |
| GHSA-r5fr-rjxr-66jc | High | lodash@4.17.23 | arm64 amd64 | 4.18.0 | lodash vulnerable to Code Injection via `_.template` imports key names |
| GHSA-r5fr-rjxr-66jc | High | lodash-es@4.17.23 | arm64 amd64 | 4.18.0 | lodash vulnerable to Code Injection via `_.template` imports key names |
| GHSA-7r86-cg39-jmmj | High | minimatch@3.1.2 | arm64 amd64 | 3.1.3 | minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-a... |
| GHSA-7r86-cg39-jmmj | High | minimatch@5.1.6 | arm64 amd64 | 5.1.8 | minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-a... |
| GHSA-7r86-cg39-jmmj | High | minimatch@9.0.5 | arm64 amd64 | 9.0.7 | minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-a... |
| GHSA-q8qp-cvcw-x6jj | High | axios@1.15.0 | arm64 amd64 | 1.15.2 | Axios has prototype pollution read-side gadgets in HTTP adapter that allow cr... |
| GHSA-xhpv-hc6g-r9c6 | High | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has JavaScript Injection via AST Type Confusion when passing an... |
| GHSA-3ppc-4f35-3m26 | High | minimatch@3.1.2 | arm64 amd64 | 3.1.3 | minimatch has a ReDoS via repeated wildcards with non-matching literal in pat... |
| GHSA-3ppc-4f35-3m26 | High | minimatch@5.1.6 | arm64 amd64 | 5.1.7 | minimatch has a ReDoS via repeated wildcards with non-matching literal in pat... |
| GHSA-3ppc-4f35-3m26 | High | minimatch@9.0.5 | arm64 amd64 | 9.0.6 | minimatch has a ReDoS via repeated wildcards with non-matching literal in pat... |
| GHSA-23c5-xmqv-rm74 | High | minimatch@3.1.2 | arm64 amd64 | 3.1.4 | minimatch ReDoS: nested *() extglobs generate catastrophically backtracking r... |
| GHSA-23c5-xmqv-rm74 | High | minimatch@5.1.6 | arm64 amd64 | 5.1.8 | minimatch ReDoS: nested *() extglobs generate catastrophically backtracking r... |
| GHSA-23c5-xmqv-rm74 | High | minimatch@9.0.5 | arm64 amd64 | 9.0.7 | minimatch ReDoS: nested *() extglobs generate catastrophically backtracking r... |
| GHSA-34x7-hfp2-rc4v | High | tar@6.2.1 | arm64 amd64 | 7.5.7 | node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Tr... |
| GHSA-v52c-386h-88mc | High | multer@1.4.5-lts.1 | arm64 amd64 | 2.1.0 | Multer vulnerable to Denial of Service via resource exhaustion |
| GHSA-xf7r-hgr6-v32p | High | multer@1.4.5-lts.1 | arm64 amd64 | 2.1.0 | Multer vulnerable to Denial of Service via incomplete cleanup |
| GHSA-qpx9-hpmf-5gmw | High | underscore@1.13.7 | arm64 amd64 | 1.13.8 | Underscore has unlimited recursion in _.flatten and _.isEqual, potential for ... |
| GHSA-vrm6-8vpv-qv8q | High | undici@7.18.2 | arm64 amd64 | 7.24.0 | Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decom... |
| GHSA-c2c7-rcm5-vvqj | High | picomatch@2.3.1 | arm64 amd64 | 2.3.2 | Picomatch has a ReDoS vulnerability via extglob quantifiers |
| GHSA-fjgf-rc76-4x9p | High | multer@1.4.5-lts.1 | arm64 amd64 | 2.0.2 | Multer vulnerable to Denial of Service via unhandled exception from malformed... |
| GHSA-xjpj-3mr7-gcpf | High | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names... |
| GHSA-r6q2-hw4h-h46w | High | tar@6.2.1 | arm64 amd64 | 7.5.4 | Race Condition in node-tar Path Reservations via Unicode Ligature Collisions ... |
| GHSA-9ppj-qmqm-q256 | High | tar@6.2.1 | arm64 amd64 | 7.5.11 | node-tar Symlink Path Traversal via Drive-Relative Linkpath |
| GHSA-qffp-2rhf-9h96 | High | tar@6.2.1 | arm64 amd64 | 7.5.10 | tar has Hardlink Path Traversal via Drive-Relative Linkpath |
| GHSA-83g3-92jg-28cx | High | tar@6.2.1 | arm64 amd64 | 7.5.8 | Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in... |
| GHSA-8qq5-rm4j-mr97 | High | tar@6.2.1 | arm64 amd64 | 7.5.3 | node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via ... |
| GHSA-fv7c-fp4j-7gwp | High | @babel/plugin-transform-modules-systemjs@7.24.7 | arm64 amd64 | 7.29.4 | @babel/plugin-transform-modules-systemjs generates arbitrary code when compil... |
| GHSA-h25m-26qc-wcjf | High | next@14.2.35 | arm64 amd64 | 15.0.8 | Next.js HTTP request deserialization can lead to DoS when using insecure Reac... |
| GHSA-q4gf-8mx6-v5v3 | High | next@14.2.35 | arm64 amd64 | 15.5.15 | Next.js has a Denial of Service with Server Components |
| GHSA-3w6x-2g7m-8v23 | Medium | axios@1.15.0 | arm64 amd64 | 1.15.2 | Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `p... |
| GHSA-968p-4wvh-cqc8 | Medium | @babel/runtime@7.22.5 | arm64 amd64 | 7.26.10 | Babel has inefficient RegExp complexity in generated code with .replace when ... |
| GHSA-w9j2-pvgh-6h63 | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatu... |
| GHSA-6rw7-vpxm-498p | Medium | qs@6.13.0 | arm64 amd64 | 6.14.1 | qs's arrayLimit bypass in its bracket notation allows DoS via memory exh... |
| GHSA-62hf-57xw-28j9 | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: unbounded recursion in toFormData causes DoS via deeply nested request... |
| GHSA-445q-vr5w-6q77 | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type i... |
| GHSA-w5hq-g745-h8pq | Medium | uuid@11.1.0 | arm64 amd64 | 11.1.1 | uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided |
| GHSA-2qvq-rjwj-gvw9 | Medium | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has Prototype Pollution Leading to XSS through Partial Template... |
| GHSA-3v7f-55p6-f55p | Medium | picomatch@2.3.1 | arm64 amd64 | 2.3.2 | Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob ... |
| GHSA-48c2-rrv3-qjmp | Medium | yaml@1.10.2 | arm64 amd64 | 1.10.3 | yaml is vulnerable to Stack Overflow via deeply nested YAML collections |
| GHSA-5c9x-8gcm-mpgx | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedire... |
| GHSA-vf2m-468p-8v99 | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: HTTP adapter streamed responses bypass maxContentLength |
| GHSA-m7pr-hjqh-92cm | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: no_proxy bypass via IP alias allows SSRF |
| GHSA-xx6v-rp6x-q39c | Medium | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `wit... |
| GHSA-ggv3-7p47-pfv8 | Medium | next@14.2.35 | arm64 amd64 | 15.5.13 | Next.js: HTTP request smuggling in rewrites |
| GHSA-qx2v-qp2m-jg93 | Medium | postcss@8.4.31 | arm64 amd64 | 8.5.10 | PostCSS has XSS via Unescaped </style> in its CSS Stringify Output |
| GHSA-mm7p-fcc7-pg87 | Medium | nodemailer@6.10.0 | arm64 amd64 | 7.0.7 | Nodemailer: Email to an unintended domain can occur due to Interpretation Con... |
| GHSA-mm7p-fcc7-pg87 | Medium | nodemailer@6.9.16 | arm64 amd64 | 7.0.7 | Nodemailer: Email to an unintended domain can occur due to Interpretation Con... |
| GHSA-gh4j-gqv2-49f6 | Medium | fast-xml-parser@4.5.6 | arm64 amd64 | 5.7.0 | fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Del... |
| GHSA-9g9p-9gw9-jx7f | Medium | next@14.2.35 | arm64 amd64 | 15.5.10 | Next.js self-hosted applications vulnerable to DoS via Image Optimizer remote... |
| GHSA-f23m-r3pf-42rh | Medium | lodash@4.17.23 | arm64 amd64 | 4.18.0 | lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` a... |
| GHSA-f23m-r3pf-42rh | Medium | lodash-es@4.17.23 | arm64 amd64 | 4.18.0 | lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` a... |
| GHSA-f886-m6hf-6m8v | Medium | brace-expansion@1.1.12 | arm64 amd64 | 1.1.13 | brace-expansion: Zero-step sequence causes process hang and memory exhaustion |
| GHSA-f886-m6hf-6m8v | Medium | brace-expansion@2.0.2 | arm64 amd64 | 2.0.3 | brace-expansion: Zero-step sequence causes process hang and memory exhaustion |
| GHSA-3x4c-7xq6-9pq8 | Medium | next@14.2.35 | arm64 amd64 | 15.5.14 | Next.js: Unbounded next/image disk cache growth can exhaust storage |
| GHSA-378v-28hj-76wf | Medium | bn.js@4.12.2 | arm64 amd64 | 4.12.3 | bn.js affected by an infinite loop |
| GHSA-phc3-fgpg-7m6h | Medium | undici@7.18.2 | arm64 amd64 | 7.24.0 | Undici has Unbounded Memory Consumption in its DeduplicationHandler via Respo... |
| GHSA-2mjp-6q6p-2qxm | Medium | undici@7.18.2 | arm64 amd64 | 7.24.0 | Undici has an HTTP Request/Response Smuggling issue |
| GHSA-2g4f-4pwh-qvx6 | Medium | ajv@6.12.6 | arm64 amd64 | 6.14.0 | ajv has ReDoS when using `$data` option |
| GHSA-4992-7rv2-5pvq | Medium | undici@7.18.2 | arm64 amd64 | 7.24.0 | Undici has CRLF Injection in undici via `upgrade` option |
| GHSA-7rx3-28cr-v5wh | Medium | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupS... |
| GHSA-v2v4-37r5-5v8g | Medium | ip-address@9.0.5 | arm64 amd64 | 10.1.1 | ip-address has XSS in Address6 HTML-emitting methods |
| GHSA-vvjj-xcjg-gr5g | Medium | nodemailer@6.10.0 | arm64 amd64 | 8.0.5 | Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Op... |
| GHSA-vvjj-xcjg-gr5g | Medium | nodemailer@6.9.16 | arm64 amd64 | 8.0.5 | Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Op... |
| GHSA-vvjj-xcjg-gr5g | Medium | nodemailer@7.0.12 | arm64 amd64 | 8.0.5 | Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Op... |
| GHSA-7gmj-h9xc-mcxc | Low | mailparser@3.7.2 | arm64 amd64 | 3.9.3 | mailparser vulnerable to Cross-site Scripting |
| GHSA-w7fw-mjwx-w883 | Low | qs@6.13.0 | arm64 amd64 | 6.14.2 | qs's arrayLimit bypass in comma parsing allows denial of service |
| GHSA-w7fw-mjwx-w883 | Low | qs@6.14.1 | arm64 amd64 | 6.14.2 | qs's arrayLimit bypass in comma parsing allows denial of service |
| GHSA-xhjh-pmcv-23jw | Low | axios@1.15.0 | arm64 amd64 | 1.15.1 | Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams |
| GHSA-vpq2-c234-7xj6 | Low | @tootallnate/once@1.1.2 | arm64 amd64 | 3.0.1 | @tootallnate/once vulnerable to Incorrect Control Flow Scoping |
| GHSA-vpq2-c234-7xj6 | Low | @tootallnate/once@2.0.0 | arm64 amd64 | 3.0.1 | @tootallnate/once vulnerable to Incorrect Control Flow Scoping |
| GHSA-442j-39wm-28r2 | Low | handlebars@4.7.8 | arm64 amd64 | 4.7.9 | Handlebars.js has a Property Access Validation Bypass in container.lookup |
| GHSA-c7w3-x93f-qmm8 | Low | nodemailer@6.10.0 | arm64 amd64 | 8.0.4 | Nodemailer has SMTP command injection due to unsanitized `envelope.size` para... |
| GHSA-c7w3-x93f-qmm8 | Low | nodemailer@6.9.16 | arm64 amd64 | 8.0.4 | Nodemailer has SMTP command injection due to unsanitized `envelope.size` para... |
| GHSA-c7w3-x93f-qmm8 | Low | nodemailer@7.0.12 | arm64 amd64 | 8.0.4 | Nodemailer has SMTP command injection due to unsanitized `envelope.size` para... |
sonarr:4.0.16.2944-r1
7 Issues
sonarr:4.0.16.2944-r1
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| GHSA-8g4q-xg66-9fp4 | High | System.Text.Json@6.0.9 | arm64 amd64 | 6.0.10 | Microsoft Security Advisory CVE-2024-43485 | .NET Denial of Service Vulnerabi... |
| CVE-2026-30976 | High | sonarr@4.0.16.2944-r1 | arm64 amd64 | Unpatched | Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branc... |
| GHSA-g7hc-96xr-gvvx | Medium | MimeKit@4.8.0 | arm64 amd64 | 4.15.1 | MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Inj... |
| GHSA-59j7-ghrg-fj52 | Medium | Microsoft.IdentityModel.JsonWebTokens@6.8.0 | arm64 amd64 | 6.34.0 | Microsoft ASP.NET Core project templates vulnerable to denial of service |
| GHSA-59j7-ghrg-fj52 | Medium | System.IdentityModel.Tokens.Jwt@6.8.0 | arm64 amd64 | 6.34.0 | Microsoft ASP.NET Core project templates vulnerable to denial of service |
| GHSA-rxmq-m78w-7wmc | Medium | SixLabors.ImageSharp@3.1.7 | arm64 amd64 | 3.1.11 | SixLabors ImageSharp Has Infinite Loop in GIF Decoder When Skipping Malformed... |
| GHSA-9j88-vvj5-vhgr | Medium | MailKit@4.8.0 | arm64 amd64 | 4.16.0 | MailKit has STARTTLS Response Injection via unflushed stream buffer that enab... |
sqlite:3.51.1
Clean
tautulli:2.17.1-r1
3 Issues
tautulli:2.17.1-r1
| CVE ID | Severity | Package | Arch | Fixed Version | Description |
|---|---|---|---|---|---|
| CVE-2025-15366 | Medium | python-3.14@3.14.4-r4 | arm64 amd64 | Unpatched | The imaplib module, when passed a user-controlled command, can have additiona... |
| CVE-2025-15367 | Medium | python-3.14@3.14.4-r4 | arm64 amd64 | Unpatched | The poplib module, when passed a user-controlled command, can have additional... |
| CVE-2025-12781 | Medium | python-3.14@3.14.4-r4 | arm64 amd64 | Unpatched | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64de... |
tor:0.4.9.5-r0
Clean
vaultwarden:1.36.0-r1
Clean