apk package

chainguard/gitlab-rails-ce-doc-fips-18.2

pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.2

Vulnerabilities (54)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-1182		—	< 18.2.8-r5	18.2.8-r5	Mar 12, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.14 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to gain unauthorized access to confidential issue title created in public projects under certain
CVE-2026-0595		—	< 18.2.8-r4	18.2.8-r4	Feb 11, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML in
CVE-2026-1458		—	< 18.2.8-r4	18.2.8-r4	Feb 11, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files.
CVE-2025-24293	Cri	—	< 18.2.8-r2	18.2.8-r2	Jan 30, 2026	# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the s
CVE-2025-11224		—	< 18.2.8-r4	18.2.8-r4	Jan 14, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes prox
CVE-2025-3950		—	< 18.2.8-r4	18.2.8-r4	Jan 9, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.
CVE-2025-9222		—	< 18.2.8-r4	18.2.8-r4	Jan 9, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.
CVE-2025-10569		—	< 18.2.8-r4	18.2.8-r4	Jan 9, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls.
CVE-2025-11246		—	< 18.2.8-r4	18.2.8-r4	Jan 9, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating
CVE-2025-68696	Hig	8.2	< 18.2.8-r3	18.2.8-r3	Dec 23, 2025	httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd.
CVE-2025-12029		—	< 18.2.8-r4	18.2.8-r4	Dec 11, 2025	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by in
CVE-2025-12734		—	< 18.2.8-r4	18.2.8-r4	Dec 11, 2025	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HT
CVE-2025-4097		—	< 18.2.8-r4	18.2.8-r4	Dec 11, 2025	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images.
CVE-2025-8405		—	< 18.2.8-r4	18.2.8-r4	Dec 11, 2025	GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML int
CVE-2025-11984		—	< 18.2.8-r4	18.2.8-r4	Dec 11, 2025	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain con
CVE-2025-12562		—	< 18.2.8-r4	18.2.8-r4	Dec 11, 2025	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query
CVE-2025-13978		—	< 18.2.8-r4	18.2.8-r4	Dec 11, 2025	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests.
CVE-2025-14157		—	< 18.2.8-r4	18.2.8-r4	Dec 11, 2025	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters
CVE-2025-7449		—	< 18.2.8-r4	18.2.8-r4	Nov 26, 2025	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing
CVE-2025-12571		—	< 18.2.8-r4	18.2.8-r4	Nov 26, 2025	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing ma

CVE-2026-1182Mar 12, 2026
affected < 18.2.8-r5fixed 18.2.8-r5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.14 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to gain unauthorized access to confidential issue title created in public projects under certain
CVE-2026-0595Feb 11, 2026
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML in
CVE-2026-1458Feb 11, 2026
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files.
CVE-2025-24293CriJan 30, 2026
affected < 18.2.8-r2fixed 18.2.8-r2
# Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the s
CVE-2025-11224Jan 14, 2026
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes prox
CVE-2025-3950Jan 9, 2026
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.
CVE-2025-9222Jan 9, 2026
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.
CVE-2025-10569Jan 9, 2026
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls.
CVE-2025-11246Jan 9, 2026
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating
CVE-2025-68696HigDec 23, 2025
affected < 18.2.8-r3fixed 18.2.8-r3
httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd.
CVE-2025-12029Dec 11, 2025
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by in
CVE-2025-12734Dec 11, 2025
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HT
CVE-2025-4097Dec 11, 2025
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images.
CVE-2025-8405Dec 11, 2025
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML int
CVE-2025-11984Dec 11, 2025
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain con
CVE-2025-12562Dec 11, 2025
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query
CVE-2025-13978Dec 11, 2025
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests.
CVE-2025-14157Dec 11, 2025
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters
CVE-2025-7449Nov 26, 2025
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing
CVE-2025-12571Nov 26, 2025
affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing ma

Page 1 of 3