VYPR

apk package

chainguard/gitlab-rails-ce-18.8

pkg:apk/chainguard/gitlab-rails-ce-18.8

Vulnerabilities (72)

  • CVE-2026-25679HigMar 6, 2026
    affected < 18.8.6-r0fixed 18.8.6-r0

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2025-15558Mar 4, 2026
    affected < 0fixed 0

    Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are

  • CVE-2026-1229Feb 24, 2026
    affected < 18.8.6-r1fixed 18.8.6-r1

    The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://

  • CVE-2026-25500Feb 18, 2026
    affected < 18.8.7-r0fixed 18.8.7-r0

    Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g.

  • CVE-2026-22860Feb 18, 2026
    affected < 18.8.7-r0fixed 18.8.7-r0

    Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root stri

  • CVE-2026-25934Feb 9, 2026
    affected < 18.8.4-r1fixed 18.8.4-r1

    go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files,

  • CVE-2025-58190Feb 5, 2026
    affected < 18.8.4-r1fixed 18.8.4-r1

    The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

  • CVE-2025-47911Feb 5, 2026
    affected < 18.8.4-r1fixed 18.8.4-r1

    The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

  • CVE-2025-68696HigDec 23, 2025
    affected < 18.8.8-r0fixed 18.8.8-r0

    httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd.

  • CVE-2025-47914Nov 19, 2025
    affected < 18.8.4-r1fixed 18.8.4-r1

    SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

  • CVE-2025-58181Nov 19, 2025
    affected < 18.8.4-r1fixed 18.8.4-r1

    SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

  • CVE-2025-47913Nov 13, 2025
    affected < 18.8.4-r1fixed 18.8.4-r1

    SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

Page 4 of 4