| CVE-2025-15467 |
critical |
libcrypto3 |
libcrypto3@3.6.0-r6 |
N/A |
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD ... |
| CVE-2025-68121 |
critical |
stdlib |
v1.25.5 |
N/A |
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs field... |
| CVE-2025-69872 |
critical |
diskcache |
5.6.3 |
N/A |
DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attac... |
| CVE-2026-1229 |
critical |
github.com/cloudflare/circl |
v1.6.1 |
N/A |
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect valu... |
| CVE-2026-33186 |
critical |
google.golang.org/grpc |
v1.77.0 |
N/A |
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization by... |
| CVE-2025-13836 |
high |
python-3.10-dev |
3.10.19-r3 |
N/A |
When reading an HTTP response from a server, if no read amount is specified, the default behavior wi... |
| CVE-2025-15281 |
high |
glibc-dev |
2.42-r5 |
N/A |
Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to ... |
| CVE-2025-45768 |
high |
PyJWT |
2.10.1 |
N/A |
pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier beca... |
| CVE-2025-61726 |
high |
stdlib |
v1.25.5 |
N/A |
The net/url package does not set a limit on the number of query parameters in a query. While the max... |
| CVE-2025-61728 |
high |
stdlib |
stdlib@v1.25.5 |
N/A |
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file i... |
| CVE-2025-69223 |
high |
aiohttp |
3.13.2 |
N/A |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and ... |
| CVE-2025-69227 |
high |
aiohttp |
3.13.2 |
N/A |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and ... |
| CVE-2025-69228 |
high |
aiohttp |
3.13.2 |
N/A |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and ... |
| CVE-2025-69419 |
high |
libssl3 |
3.6.0-r6 |
N/A |
Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with... |
| CVE-2025-69420 |
high |
libcrypto3 |
3.6.0-r6 |
N/A |
Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code whe... |
| CVE-2025-69421 |
high |
libcrypto3 |
3.6.0-r6 |
N/A |
Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKC... |
| CVE-2026-0861 |
high |
nss-hesiod |
2.42-r5 |
N/A |
Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned... |
| CVE-2026-0915 |
high |
libcrypt1 |
2.42-r5 |
N/A |
Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's ... |
| CVE-2026-0994 |
high |
protobuf |
|
N/A |
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python,... |
| CVE-2026-1299 |
high |
python-3.10 |
python-3.10@3.10.19-r3 |
N/A |
The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for ema... |
| CVE-2026-21226 |
high |
azure-core |
1.36.0 |
N/A |
Deserialization of untrusted data in Azure Core shared client library for Python allows an authorize... |
| CVE-2026-21441 |
high |
urllib3 |
2.6.1 |
N/A |
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient ... |
| CVE-2026-23949 |
high |
jaraco.context |
5.3.0 |
N/A |
jaraco.context, an open-source software package that provides some useful decorators and context man... |
| CVE-2026-24049 |
high |
wheel |
|
N/A |
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions... |
| CVE-2026-24051 |
high |
go.opentelemetry.io/otel/sdk |
v1.38.0 |
N/A |
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.2... |
| CVE-2026-25679 |
high |
stdlib |
v1.25.5 |
N/A |
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. |
| CVE-2026-25990 |
high |
pillow |
12.0.0 |
N/A |
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be trigg... |
| CVE-2026-26007 |
high |
cryptography |
|
N/A |
cryptography is a package designed to expose cryptographic primitives and recipes to Python develope... |
| CVE-2026-2673 |
high |
libcrypto3 |
3.6.0-r6 |
N/A |
Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange g... |
| CVE-2026-31958 |
high |
tornado |
6.5.3 |
N/A |
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior ... |
| CVE-2026-32597 |
high |
PyJWT |
2.10.1 |
N/A |
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the cri... |
25.08.3 (Dasher.3) Vulnerability Remediation - 2026-04-02
Due Date: 2026-04-16
Tracking Issue: h2oai/cloud-platform#964
Fix Version
Version Notice
Verifying Vulnerabilities with Trivy
Vulnerabilities by Image
h2oai-llmstudio-app:v1.14.7
h2oai-llmstudio-app:v1.14.7-bundle