VYPR

apk package

chainguard/gitaly-fips-18.9

pkg:apk/chainguard/gitaly-fips-18.9

Vulnerabilities (27)

  • CVE-2026-45571MedMay 27, 2026
    affected < 18.9.7-r1fixed 18.9.7-r1

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These v

  • CVE-2026-45570CriMay 27, 2026
    affected < 18.9.7-r1fixed 18.9.7-r1

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A reposito

  • CVE-2026-45022HigMay 27, 2026
    affected < 18.9.6-r4fixed 18.9.6-r4

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representa

  • CVE-2026-41889CriMay 8, 2026
    affected < 18.9.6-r1fixed 18.9.6-r1

    pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placehol

  • CVE-2026-41506MedMay 8, 2026
    affected < 18.9.6-r1fixed 18.9.6-r1

    go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0

  • CVE-2026-42501HigMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser

  • CVE-2026-42499HigMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

  • CVE-2026-39836HigMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

  • CVE-2026-39826MedMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.

  • CVE-2026-39825MedMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa

  • CVE-2026-39823MedMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le

  • CVE-2026-39820HigMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

  • CVE-2026-39819MedMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

  • CVE-2026-39817MedMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

  • CVE-2026-33814HigMay 7, 2026
    affected < 18.9.6-r3fixed 18.9.6-r3

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-33811HigMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2026-39883HigApr 8, 2026
    affected < 18.9.5-r1fixed 18.9.5-r1

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-39882MedApr 8, 2026
    affected < 18.9.6-r1fixed 18.9.6-r1

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e

  • CVE-2026-33816CriApr 7, 2026
    affected < 0fixed 0

    Memory-safety vulnerability in github.com/jackc/pgx/v5.

  • CVE-2026-34986HigApr 6, 2026
    affected < 18.9.5-r1fixed 18.9.5-r1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

Page 1 of 2