Vulnerability Report
- Name:
- carpediem-api-carpediem-api
- Type:
- image
- Checksum:
- sha256:f22d6a27ff56407e6a716251e838bbaea4445a2c6a6ff0fd8b50521fed872ff4
- Date:
- 2026-01-07T04:58:52.131537105Z
Critical
2
High
5
Medium
16
Low
14
Unknown
0
| Name | Version | Type | Vulnerability | Severity | Risk | State | Fixed In | Description | Related URLs | PURL |
|---|---|---|---|---|---|---|---|---|---|---|
| python | 3.13.9 | binary | CVE-2025-12084 | Medium | 0.09% | fixed |
|
When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. | ["https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0","https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4","https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437","https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907","https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d","https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8","https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964","https://github.com/python/cpython/issues/142145","https://github.com/python/cpython/pull/142146"] | pkg:generic/python@3.13.9 |
| django | 5.2.5 | python | GHSA-frmv-pr5f-9mcr | Critical | 0.09% | fixed |
|
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. | [] | pkg:pypi/django@5.2.5 |
| python | 3.13.9 | binary | CVE-2025-13836 | Critical | 0.07% | fixed |
|
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS. | ["https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628","https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15","https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155","https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5","https://github.com/python/cpython/issues/119451","https://github.com/python/cpython/pull/119454","https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/"] | pkg:generic/python@3.13.9 |
| python | 3.13.9 | binary | CVE-2025-8291 | Medium | 0.06% | fixed |
|
The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value. | ["https://github.com/python/cpython/commit/162997bb70e067668c039700141770687bc8f267","https://github.com/python/cpython/commit/1d29afb0d6218aa8fb5e1e4a6133a4778d89bb46","https://github.com/python/cpython/commit/333d4a6f4967d3ace91492a39ededbcf3faa76a6","https://github.com/python/cpython/commit/76437ac248ad8ca44e9bf697b02b1e2241df2196","https://github.com/python/cpython/commit/8392b2f0d35678407d9ce7d95655a5b77de161b4","https://github.com/python/cpython/commit/bca11ae7d575d87ed93f5dd6a313be6246e3e388","https://github.com/python/cpython/commit/d11e69d6203080e3ec450446bfed0516727b85c3","https://github.com/python/cpython/issues/139700","https://github.com/python/cpython/pull/139702","https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/","https://github.com/google/security-research/security/advisories/GHSA-hhv7-p4pg-wm6p","https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2025-12.json"] | pkg:generic/python@3.13.9 |
| jq | 1.8.0-r0 | apk | CVE-2025-49014 | Medium | 0.03% | fixed |
|
[] | pkg:apk/alpine/jq@1.8.0-r0?arch=x86_64&distro=alpine-3.22.2 | |
| libpq | 17.6-r0 | apk | CVE-2025-12818 | Medium | 0.03% | fixed |
|
[] | pkg:apk/alpine/libpq@17.6-r0?arch=x86_64&distro=alpine-3.22.2&upstream=postgresql17 | |
| busybox | 1.37.0-r19 | apk | CVE-2025-60876 | Medium | 0.03% | N/A | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | ["https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092","https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm","https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm"] | pkg:apk/alpine/busybox@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2 | |
| busybox-binsh | 1.37.0-r19 | apk | CVE-2025-60876 | Medium | 0.03% | N/A | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | ["https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092","https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm","https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm"] | pkg:apk/alpine/busybox-binsh@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2&upstream=busybox | |
| ssl_client | 1.37.0-r19 | apk | CVE-2025-60876 | Medium | 0.03% | N/A | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | ["https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092","https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm","https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm"] | pkg:apk/alpine/ssl_client@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2&upstream=busybox | |
| c-ares | 1.34.5-r0 | apk | CVE-2025-62408 | Medium | 0.03% | fixed |
|
[] | pkg:apk/alpine/c-ares@1.34.5-r0?arch=x86_64&distro=alpine-3.22.2 | |
| django | 5.2.5 | python | GHSA-vrcr-9hj9-jcg6 | Medium | 0.03% | fixed |
|
Django is vulnerable to DoS via XML serializer text extraction | [] | pkg:pypi/django@5.2.5 |
| django | 5.2.5 | python | GHSA-qw25-v68c-qjf3 | High | 0.02% | fixed |
|
Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows | [] | pkg:pypi/django@5.2.5 |
| django | 5.2.5 | python | GHSA-hpr9-3m2g-3j9p | High | 0.01% | fixed |
|
Django vulnerable to SQL injection in column aliases | [] | pkg:pypi/django@5.2.5 |
| libpq | 17.6-r0 | apk | CVE-2025-12817 | Low | 0.01% | fixed |
|
[] | pkg:apk/alpine/libpq@17.6-r0?arch=x86_64&distro=alpine-3.22.2&upstream=postgresql17 | |
| urllib3 | 2.5.0 | python | GHSA-2xpw-w6gg-jr37 | High | 0.01% | fixed |
|
urllib3 streaming API improperly handles highly compressed data | [] | pkg:pypi/urllib3@2.5.0 |
| django | 5.2.5 | python | GHSA-q95w-c7qg-hrff | Low | 0.01% | fixed |
|
Django vulnerable to partial directory traversal via archives | [] | pkg:pypi/django@5.2.5 |
| django | 5.2.5 | python | GHSA-6w2r-r2m5-xq5w | High | 0.01% | fixed |
|
Django is subject to SQL injection through its column aliases | [] | pkg:pypi/django@5.2.5 |
| pip | 25.2 | python | GHSA-4xh5-x5gv-qwph | Medium | 0.01% | fixed |
|
pip's fallback tar extraction doesn't check symbolic links point to extraction directory | [] | pkg:pypi/pip@25.2 |
| pip | 25.2 | python | GHSA-4xh5-x5gv-qwph | Medium | 0.01% | fixed |
|
pip's fallback tar extraction doesn't check symbolic links point to extraction directory | [] | pkg:pypi/pip@25.2 |
| curl | 8.14.1-r2 | apk | CVE-2025-10966 | Medium | 0.01% | unknown | N/A | curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more. | ["https://curl.se/docs/CVE-2025-10966.html","https://curl.se/docs/CVE-2025-10966.json","https://hackerone.com/reports/3355218","http://www.openwall.com/lists/oss-security/2025/11/05/2"] | pkg:apk/alpine/curl@8.14.1-r2?arch=x86_64&distro=alpine-3.22.2 |
| busybox | 1.37.0-r19 | apk | CVE-2024-58251 | Low | 0.01% | fixed |
|
[] | pkg:apk/alpine/busybox@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2 | |
| busybox-binsh | 1.37.0-r19 | apk | CVE-2024-58251 | Low | 0.01% | fixed |
|
[] | pkg:apk/alpine/busybox-binsh@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2&upstream=busybox | |
| ssl_client | 1.37.0-r19 | apk | CVE-2024-58251 | Low | 0.01% | fixed |
|
[] | pkg:apk/alpine/ssl_client@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2&upstream=busybox | |
| busybox | 1.37.0-r19 | apk | CVE-2025-46394 | Low | 0.01% | fixed |
|
[] | pkg:apk/alpine/busybox@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2 | |
| busybox-binsh | 1.37.0-r19 | apk | CVE-2025-46394 | Low | 0.01% | fixed |
|
[] | pkg:apk/alpine/busybox-binsh@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2&upstream=busybox | |
| ssl_client | 1.37.0-r19 | apk | CVE-2025-46394 | Low | 0.01% | fixed |
|
[] | pkg:apk/alpine/ssl_client@1.37.0-r19?arch=x86_64&distro=alpine-3.22.2&upstream=busybox | |
| python | 3.13.9 | binary | CVE-2025-13837 | Low | 0.01% | fixed |
|
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | ["https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b","https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70","https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba","https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb","https://github.com/python/cpython/issues/119342","https://github.com/python/cpython/pull/119343","https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/"] | pkg:generic/python@3.13.9 |
| python | 3.13.9 | binary | CVE-2025-6075 | Low | 0.00% | fixed |
|
If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. | ["https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c","https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427","https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84","https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca","https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742","https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba","https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c","https://github.com/python/cpython/issues/136065","https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/"] | pkg:generic/python@3.13.9 |
| django | 5.2.5 | python | GHSA-rqw2-ghq9-44m7 | Medium | 0.00% | fixed |
|
Django is vulnerable to SQL injection in column aliases | [] | pkg:pypi/django@5.2.5 |
| aiohttp | 3.12.15 | python | GHSA-6mq8-rvhq-8wgg | High | 0.00% | fixed |
|
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb | [] | pkg:pypi/aiohttp@3.12.15 |
| aiohttp | 3.12.15 | python | GHSA-6jhg-hg63-jvvf | Medium | 0.00% | fixed |
|
AIOHTTP vulnerable to denial of service through large payloads | [] | pkg:pypi/aiohttp@3.12.15 |
| aiohttp | 3.12.15 | python | GHSA-g84x-mcqj-x9qq | Medium | 0.00% | fixed |
|
AIOHTTP vulnerable to DoS through chunked messages | [] | pkg:pypi/aiohttp@3.12.15 |
| aiohttp | 3.12.15 | python | GHSA-jj3x-wxrx-4x23 | Medium | 0.00% | fixed |
|
AIOHTTP vulnerable to DoS when bypassing asserts | [] | pkg:pypi/aiohttp@3.12.15 |
| aiohttp | 3.12.15 | python | GHSA-54jq-c3m8-4m76 | Low | 0.00% | fixed |
|
AIOHTTP vulnerable to brute-force leak of internal static file path components | [] | pkg:pypi/aiohttp@3.12.15 |
| aiohttp | 3.12.15 | python | GHSA-69f9-5gxw-wvc2 | Low | 0.00% | fixed |
|
AIOHTTP's unicode processing of header values could cause parsing discrepancies | [] | pkg:pypi/aiohttp@3.12.15 |
| aiohttp | 3.12.15 | python | GHSA-fh55-r93g-j68g | Low | 0.00% | fixed |
|
AIOHTTP Vulnerable to Cookie Parser Warning Storm | [] | pkg:pypi/aiohttp@3.12.15 |
| aiohttp | 3.12.15 | python | GHSA-mqqc-3gqh-h2x8 | Low | 0.00% | fixed |
|
AIOHTTP has unicode match groups in regexes for ASCII protocol elements | [] | pkg:pypi/aiohttp@3.12.15 |