apk package

chainguard/gitlab-rails-ce-assets-fips-18.8

pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.8

Vulnerabilities (23)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-0595		—	< 18.8.4-r0	18.8.4-r0	Feb 11, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML in
CVE-2026-1094		—	< 18.8.4-r0	18.8.4-r0	Feb 11, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI.
CVE-2026-1282		—	< 18.8.4-r0	18.8.4-r0	Feb 11, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles.
CVE-2026-1456		—	< 18.8.4-r0	18.8.4-r0	Feb 11, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger expo
CVE-2026-1458		—	< 18.8.4-r0	18.8.4-r0	Feb 11, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files.
CVE-2026-0775	Hig	7.0	< 18.8.3-r0	18.8.3-r0	Jan 23, 2026	npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system i
CVE-2026-24001		—	< 0	0	Jan 22, 2026	jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop.
CVE-2024-36361	Med	6.8	< 0	0	May 24, 2024	Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and t
CVE-2021-23383		—	< 0	0	May 4, 2021	The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
CVE-2021-23369		—	< 0	0	Apr 12, 2021	The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
CVE-2021-21353		—	< 0	0	Mar 3, 2021	Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug temp
CVE-2020-7788		—	< 0	0	Dec 11, 2020	This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
CVE-2019-20920		—	< 0	0	Sep 30, 2020	Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing
CVE-2020-7712		—	< 0	0	Aug 30, 2020	This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.
CVE-2020-15095		—	< 0	0	Jul 7, 2020	Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also
CVE-2019-19919		—	< 0	0	Dec 20, 2019	Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
CVE-2019-16777		—	< 0	0	Dec 13, 2019	Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subse
CVE-2019-16776		—	< 0	0	Dec 13, 2019	Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher t
CVE-2019-16775		—	< 0	0	Dec 13, 2019	Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would a
CVE-2018-7408		—	< 0	0	Feb 22, 2018	An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass i

CVE-2026-0595Feb 11, 2026
affected < 18.8.4-r0fixed 18.8.4-r0
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML in
CVE-2026-1094Feb 11, 2026
affected < 18.8.4-r0fixed 18.8.4-r0
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI.
CVE-2026-1282Feb 11, 2026
affected < 18.8.4-r0fixed 18.8.4-r0
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles.
CVE-2026-1456Feb 11, 2026
affected < 18.8.4-r0fixed 18.8.4-r0
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger expo
CVE-2026-1458Feb 11, 2026
affected < 18.8.4-r0fixed 18.8.4-r0
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files.
CVE-2026-0775HigJan 23, 2026
affected < 18.8.3-r0fixed 18.8.3-r0
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system i
CVE-2026-24001Jan 22, 2026
affected < 0fixed 0
jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop.
CVE-2024-36361MedMay 24, 2024
affected < 0fixed 0
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and t
CVE-2021-23383May 4, 2021
affected < 0fixed 0
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
CVE-2021-23369Apr 12, 2021
affected < 0fixed 0
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
CVE-2021-21353Mar 3, 2021
affected < 0fixed 0
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug temp
CVE-2020-7788Dec 11, 2020
affected < 0fixed 0
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
CVE-2019-20920Sep 30, 2020
affected < 0fixed 0
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing
CVE-2020-7712Aug 30, 2020
affected < 0fixed 0
This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.
CVE-2020-15095Jul 7, 2020
affected < 0fixed 0
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also
CVE-2019-19919Dec 20, 2019
affected < 0fixed 0
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
CVE-2019-16777Dec 13, 2019
affected < 0fixed 0
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subse
CVE-2019-16776Dec 13, 2019
affected < 0fixed 0
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher t
CVE-2019-16775Dec 13, 2019
affected < 0fixed 0
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would a
CVE-2018-7408Feb 22, 2018
affected < 0fixed 0
An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass i

Page 1 of 2