apk package

chainguard/gitlab-rails-ce-18.6

pkg:apk/chainguard/gitlab-rails-ce-18.6

Vulnerabilities (56)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-41888	Med	6.5	< 18.6.6-r4	18.6.6-r4	May 14, 2026	Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even w
CVE-2026-42258	Cri	9.8	< 18.6.6-r4	18.6.6-r4	May 9, 2026	Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issu
CVE-2026-42257	Cri	9.8	< 18.6.6-r4	18.6.6-r4	May 9, 2026	Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived fro
CVE-2026-42256	Med	6.5	< 18.6.6-r4	18.6.6-r4	May 9, 2026	Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a com
CVE-2026-42246	Hig	7.4	< 18.6.6-r4	18.6.6-r4	May 9, 2026	Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in
CVE-2026-42245	Hig	7.5	< 18.6.6-r4	18.6.6-r4	May 9, 2026	Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send
CVE-2026-44837	med	—	< 18.6.6-r4	18.6.6-r4	May 8, 2026	### Summary The system test entrypoint canonicalizes a user-controlled file path with `File.realpath`, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. S
CVE-2026-44836	med	—	< 18.6.6-r4	18.6.6-r4	May 8, 2026	### Summary The preview route derives an example name from the URL and calls it with `public_send`. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on `ViewComponent
CVE-2026-40295	med	—	< 18.6.6-r4	18.6.6-r4	May 8, 2026	## Summary When the `Timeoutable` module is enabled in Devise, the `FailureApp#redirect_url` method returns `request.referrer` — the HTTP `Referer` header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker
CVE-2026-42501	Hig	7.5	< 18.6.6-r4	18.6.6-r4	May 7, 2026	A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
CVE-2026-42499	Hig	7.5	< 18.6.6-r4	18.6.6-r4	May 7, 2026	Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
CVE-2026-39836	Hig	7.5	< 18.6.6-r4	18.6.6-r4	May 7, 2026	The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
CVE-2026-39826	Med	6.1	< 18.6.6-r4	18.6.6-r4	May 7, 2026	If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
CVE-2026-39825	Med	5.3	< 18.6.6-r4	18.6.6-r4	May 7, 2026	ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
CVE-2026-39823	Med	6.1	< 18.6.6-r4	18.6.6-r4	May 7, 2026	CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le
CVE-2026-39820	Hig	7.5	< 18.6.6-r4	18.6.6-r4	May 7, 2026	Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
CVE-2026-39819	Med	5.3	< 18.6.6-r4	18.6.6-r4	May 7, 2026	The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
CVE-2026-39817	Med	5.9	< 18.6.6-r4	18.6.6-r4	May 7, 2026	The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
CVE-2026-33814	Hig	7.5	< 18.6.6-r4	18.6.6-r4	May 7, 2026	When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-33811	Hig	7.5	< 18.6.6-r4	18.6.6-r4	May 7, 2026	When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

CVE-2026-41888MedMay 14, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even w
CVE-2026-42258CriMay 9, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issu
CVE-2026-42257CriMay 9, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived fro
CVE-2026-42256MedMay 9, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a com
CVE-2026-42246HigMay 9, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in
CVE-2026-42245HigMay 9, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send
CVE-2026-44837medMay 8, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
### Summary The system test entrypoint canonicalizes a user-controlled file path with `File.realpath`, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. S
CVE-2026-44836medMay 8, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
### Summary The preview route derives an example name from the URL and calls it with `public_send`. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on `ViewComponent
CVE-2026-40295medMay 8, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
## Summary When the `Timeoutable` module is enabled in Devise, the `FailureApp#redirect_url` method returns `request.referrer` — the HTTP `Referer` header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker
CVE-2026-42501HigMay 7, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
CVE-2026-42499HigMay 7, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
CVE-2026-39836HigMay 7, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
CVE-2026-39826MedMay 7, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
CVE-2026-39825MedMay 7, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
CVE-2026-39823MedMay 7, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le
CVE-2026-39820HigMay 7, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
CVE-2026-39819MedMay 7, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
CVE-2026-39817MedMay 7, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
CVE-2026-33814HigMay 7, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-33811HigMay 7, 2026
affected < 18.6.6-r4fixed 18.6.6-r4
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

Page 1 of 3