ghcr.io/promptfoo/promptfoo:0.121.17 linux/amd64

ghcr.io/promptfoo/promptfoo:0.121.17 - Trivy安全扫描结果 扫描时间: 2026-06-29 15:37
全部漏洞信息
低危漏洞:8 中危漏洞:27 高危漏洞:11 严重漏洞:1

系统OS: alpine 3.24.1 扫描引擎: Trivy 扫描时间: 2026-06-29 15:37

ghcr.io/promptfoo/promptfoo:0.121.17 (alpine 3.24.1) (alpine)
低危漏洞:0 中危漏洞:0 高危漏洞:0 严重漏洞:0
软件包 漏洞 安全状态 安装版本 修复版本 漏洞信息
Node.js (node-pkg)
低危漏洞:8 中危漏洞:27 高危漏洞:11 严重漏洞:1
软件包 漏洞 安全状态 安装版本 修复版本 漏洞信息
shell-quote CVE-2026-9277 严重 1.8.3 1.8.4 shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-9277

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-05-22 14:16 修改: 2026-06-17 11:05
form-data CVE-2026-12143 高危 4.0.5 2.5.6, 3.0.5, 4.0.6 form-data is a library for creating readable multipart/form-data strea ...

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-12143

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-12 19:16 修改: 2026-06-17 10:14
hono CVE-2026-54290 高危 4.12.23 4.12.25 hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54290

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-22 18:16 修改: 2026-06-22 19:49
protobufjs CVE-2026-48712 高危 7.5.8 7.6.1, 8.4.1 protobufjs: Denial of service through unbounded Any expansion during JSON conversion

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-48712

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-22 18:16 修改: 2026-06-26 20:04
react-router CVE-2026-42211 高危 7.14.0 7.14.2 React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-42211

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-02 20:16 修改: 2026-06-17 10:47
react-router CVE-2026-42342 高危 7.14.0 7.15.0 react-router: @remix-run/server-runtime: React Router / Remix: Denial of Service via unbounded path expansion in __manifest endpoint

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-42342

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-02 20:16 修改: 2026-06-17 10:47
form-data CVE-2026-12143 高危 4.0.4 2.5.6, 3.0.5, 4.0.6 form-data is a library for creating readable multipart/form-data strea ...

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-12143

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-12 19:16 修改: 2026-06-17 10:14
undici CVE-2026-12151 高危 6.25.0 6.27.0, 7.28.0, 8.5.0 undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-12151

镜像层: sha256:6966e360c462d50cda6c02920293f497cf6c749d0a3149307c9088a33530860f

发布日期: 2026-06-17 17:16 修改: 2026-06-25 17:47
undici CVE-2026-12151 高危 7.27.1 6.27.0, 7.28.0, 8.5.0 undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-12151

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-17 17:16 修改: 2026-06-25 17:47
undici CVE-2026-6734 高危 7.27.1 7.28.0, 8.2.0 undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-6734

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-17 18:18 修改: 2026-06-27 23:49
undici CVE-2026-9697 高危 7.27.1 7.28.0, 8.5.0 undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-9697

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-17 18:18 修改: 2026-06-25 17:42
ws CVE-2026-48779 高危 7.5.10 5.2.5, 6.2.4, 7.5.11, 8.21.0 ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-48779

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-17 13:20 修改: 2026-06-18 15:25
hono CVE-2026-54286 中危 4.12.23 4.12.25 hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54286

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-22 18:16 修改: 2026-06-23 15:16
hono CVE-2026-54287 中危 4.12.23 4.12.25 hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54287

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-22 18:16 修改: 2026-06-22 19:49
hono CVE-2026-54288 中危 4.12.23 4.12.25 hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54288

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-22 19:17 修改: 2026-06-23 15:16
hono CVE-2026-54289 中危 4.12.23 4.12.25 hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54289

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-22 18:16 修改: 2026-06-22 19:49
http-proxy-middleware CVE-2026-55602 中危 2.0.9 3.0.6, 4.1.0, 2.0.10 http-proxy-middleware: http-proxy-middleware: Unintended backend routing due to crafted Host header

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-55602

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-22 18:16 修改: 2026-06-26 20:06
ip-address CVE-2026-42338 中危 10.1.0 10.1.1 ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-42338

镜像层: sha256:6966e360c462d50cda6c02920293f497cf6c749d0a3149307c9088a33530860f

发布日期: 2026-05-12 20:16 修改: 2026-06-17 10:47
joi CVE-2026-48038 中危 17.13.3 18.2.1, 17.13.4 joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-48038

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 0001-01-01 00:00 修改: 0001-01-01 00:00
js-yaml CVE-2026-53550 中危 3.14.2 4.2.0 js-yaml: js-yaml: Denial of Service via crafted YAML merge keys

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-53550

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-22 16:16 修改: 2026-06-26 20:03
js-yaml CVE-2026-53550 中危 3.14.2 4.2.0 js-yaml: js-yaml: Denial of Service via crafted YAML merge keys

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-53550

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-22 16:16 修改: 2026-06-26 20:03
launch-editor CVE-2026-53632 中危 2.13.2 2.14.1 launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-53632

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-22 18:16 修改: 2026-06-23 15:44
@opentelemetry/core CVE-2026-54285 中危 2.7.1 2.8.0 OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54285

镜像层: sha256:c1679e4ccfef8459796486f93407113f7d9447c90002a606aded9781091e6658

发布日期: 2026-06-22 18:16 修改: 2026-06-23 16:17
protobufjs CVE-2026-54269 中危 7.5.8 7.6.3, 8.6.0 protobufjs : Schema-derived names can shadow runtime-significant properties

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54269

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-22 18:16 修改: 2026-06-24 20:40
@opentelemetry/core CVE-2026-54285 中危 2.7.1 2.8.0 OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54285

镜像层: sha256:c1679e4ccfef8459796486f93407113f7d9447c90002a606aded9781091e6658

发布日期: 2026-06-22 18:16 修改: 2026-06-23 16:17
@sigstore/core CVE-2026-48758 中危 3.2.0 3.2.1 @sigstore/core has DSSE payloadType type-binding failure

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-48758

镜像层: sha256:6966e360c462d50cda6c02920293f497cf6c749d0a3149307c9088a33530860f

发布日期: 0001-01-01 00:00 修改: 0001-01-01 00:00
react-router CVE-2026-40181 中危 7.14.0 7.14.1, 6.30.4 react-router: React Router: Open redirect vulnerability via specially crafted URLs

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-40181

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-02 20:16 修改: 2026-06-17 10:44
brace-expansion CVE-2026-45149 中危 5.0.5 5.0.6 brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-45149

镜像层: sha256:6966e360c462d50cda6c02920293f497cf6c749d0a3149307c9088a33530860f

发布日期: 2026-05-29 20:16 修改: 2026-06-17 10:51
tar CVE-2026-53655 中危 7.5.13 7.5.16 node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (nod ...

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-53655

镜像层: sha256:6966e360c462d50cda6c02920293f497cf6c749d0a3149307c9088a33530860f

发布日期: 2026-06-22 16:16 修改: 2026-06-26 20:03
dompurify GHSA-cmwh-pvxp-8882 中危 3.4.7 3.4.11 DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)

漏洞详情: https://github.com/advisories/GHSA-cmwh-pvxp-8882

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-18 14:27 修改: 2026-06-18 14:27
undici CVE-2026-9679 中危 6.25.0 6.27.0, 7.28.0, 8.5.0 undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-9679

镜像层: sha256:6966e360c462d50cda6c02920293f497cf6c749d0a3149307c9088a33530860f

发布日期: 2026-06-17 18:18 修改: 2026-06-25 17:43
dompurify GHSA-cmwh-pvxp-8882 中危 3.4.9 3.4.11 DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)

漏洞详情: https://github.com/advisories/GHSA-cmwh-pvxp-8882

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-18 14:27 修改: 2026-06-18 14:27
@opentelemetry/core CVE-2026-54285 中危 2.7.1 2.8.0 OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54285

镜像层: sha256:c1679e4ccfef8459796486f93407113f7d9447c90002a606aded9781091e6658

发布日期: 2026-06-22 18:16 修改: 2026-06-23 16:17
@opentelemetry/core CVE-2026-54285 中危 2.7.1 2.8.0 OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54285

镜像层: sha256:c1679e4ccfef8459796486f93407113f7d9447c90002a606aded9781091e6658

发布日期: 2026-06-22 18:16 修改: 2026-06-23 16:17
undici CVE-2026-9678 中危 7.27.1 7.28.0, 8.5.0 undici: Undici: Information disclosure due to improper cache-control header parsing

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-9678

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-17 18:18 修改: 2026-06-25 17:44
undici CVE-2026-9679 中危 7.27.1 6.27.0, 7.28.0, 8.5.0 undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-9679

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-17 18:18 修改: 2026-06-25 17:43
uuid CVE-2026-41907 中危 8.3.2 11.1.1, 12.0.1, 13.0.1 uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-41907

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-04-24 19:17 修改: 2026-06-17 10:47
webpack-dev-server CVE-2026-9595 中危 5.2.4 5.2.5 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-9595

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-15 16:16 修改: 2026-06-17 11:05
@opentelemetry/core CVE-2026-54285 中危 2.7.1 2.8.0 OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54285

镜像层: sha256:c1679e4ccfef8459796486f93407113f7d9447c90002a606aded9781091e6658

发布日期: 2026-06-22 18:16 修改: 2026-06-23 16:17
esbuild GHSA-g7r4-m6w7-qqqr 低危 0.27.7 0.28.1 esbuild allows arbitrary file read when running the development server on Windows

漏洞详情: https://github.com/advisories/GHSA-g7r4-m6w7-qqqr

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-12 20:08 修改: 2026-06-12 20:08
react-router CVE-2026-53663 低危 7.14.0 7.15.1 react-router: @remix-run/server-runtime: React Router: Insufficient CSRF protection allows integrity impact

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-53663

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-22 19:17 修改: 2026-06-23 16:04
undici CVE-2026-11525 低危 6.25.0 6.27.0, 7.28.0, 8.5.0 undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-11525

镜像层: sha256:6966e360c462d50cda6c02920293f497cf6c749d0a3149307c9088a33530860f

发布日期: 2026-06-17 18:17 修改: 2026-06-25 17:46
undici CVE-2026-11525 低危 7.27.1 6.27.0, 7.28.0, 8.5.0 undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-11525

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-17 18:17 修改: 2026-06-25 17:46
undici CVE-2026-6733 低危 7.27.1 6.27.0, 7.28.0, 8.5.0 undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-6733

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-17 18:18 修改: 2026-06-27 23:46
undici CVE-2026-6733 低危 6.25.0 6.27.0, 7.28.0, 8.5.0 undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.

漏洞详情: https://avd.aquasec.com/nvd/cve-2026-6733

镜像层: sha256:6966e360c462d50cda6c02920293f497cf6c749d0a3149307c9088a33530860f

发布日期: 2026-06-17 18:18 修改: 2026-06-27 23:46
dompurify GHSA-vxr8-fq34-vvx9 低危 3.4.7 3.4.9 DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output

漏洞详情: https://github.com/advisories/GHSA-vxr8-fq34-vvx9

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-15 20:12 修改: 2026-06-15 20:12
dompurify GHSA-gvmj-g25r-r7wr 低危 3.4.7 3.4.8 DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside <template> content when using DOM output modes

漏洞详情: https://github.com/advisories/GHSA-gvmj-g25r-r7wr

镜像层: sha256:9b7d70205f1737fb6af23ad4e6697adb8d14121331c5297e264eab46d65e9656

发布日期: 2026-06-15 20:02 修改: 2026-06-15 20:02
/app/dist/src/app/assets/index-Cc0-UlCt.js ()
低危漏洞:0 中危漏洞:0 高危漏洞:0 严重漏洞:0
软件包 漏洞 安全状态 安装版本 修复版本 漏洞信息
检测到您正在使用广告拦截插件,本站为公益站点,依赖广告维持运转 🙏 查看如何关闭 ×