Grype Report
Name:linkitaly/govway:master4
Type: image
Date: 2026-02-24T06:26:45.405594991+01:00
Critical
0
High
1
Medium
9
Low
1
Unknown
0
| Name | Version | Type | Vulnerability | Severity | Description | State | Fixed In |
|---|---|---|---|---|---|---|---|
| libpng | 1.6.54-r0 | apk | CVE-2026-25646 | High | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55. | unknown | N/A |
| busybox | 1.37.0-r30 | apk | CVE-2025-60876 | Medium | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | N/A | |
| busybox-binsh | 1.37.0-r30 | apk | CVE-2025-60876 | Medium | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | N/A | |
| ssl_client | 1.37.0-r30 | apk | CVE-2025-60876 | Medium | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | N/A | |
| curl | 8.17.0-r1 | apk | CVE-2025-15224 | Low | When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. | unknown | N/A |
| curl | 8.17.0-r1 | apk | CVE-2025-14819 | Medium | When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. | unknown | N/A |
| curl | 8.17.0-r1 | apk | CVE-2025-14524 | Medium | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. | unknown | N/A |
| curl | 8.17.0-r1 | apk | CVE-2025-15079 | Medium | When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. | unknown | N/A |
| curl | 8.17.0-r1 | apk | CVE-2025-13034 | Medium | When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. | unknown | N/A |
| curl | 8.17.0-r1 | apk | CVE-2025-14017 | Medium | When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well. | unknown | N/A |
| zlib | 1.3.1-r2 | apk | CVE-2026-27171 | Medium | zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition. | unknown | N/A |