apk package
chainguard/gitlab-rails-ce-fips-18.2
pkg:apk/chainguard/gitlab-rails-ce-fips-18.2
Vulnerabilities (57)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-1182 | — | < 18.2.8-r5 | 18.2.8-r5 | Mar 12, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.14 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to gain unauthorized access to confidential issue title created in public projects under certain | ||
| CVE-2026-0595 | — | < 18.2.8-r4 | 18.2.8-r4 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML in | ||
| CVE-2026-1458 | — | < 18.2.8-r4 | 18.2.8-r4 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files. | ||
| CVE-2025-68121 | Cri | 10.0 | < 18.2.8-r5 | 18.2.8-r5 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-61732 | — | < 18.2.8-r5 | 18.2.8-r5 | Feb 5, 2026 | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | ||
| CVE-2025-61728 | — | < 18.2.8-r5 | 18.2.8-r5 | Jan 28, 2026 | archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. | ||
| CVE-2025-61726 | — | < 18.2.8-r5 | 18.2.8-r5 | Jan 28, 2026 | The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la | ||
| CVE-2025-61730 | — | < 18.2.8-r5 | 18.2.8-r5 | Jan 28, 2026 | During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor i | ||
| CVE-2025-61731 | — | < 18.2.8-r5 | 18.2.8-r5 | Jan 28, 2026 | Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can | ||
| CVE-2025-68119 | — | < 18.2.8-r5 | 18.2.8-r5 | Jan 28, 2026 | Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are | ||
| CVE-2025-11224 | — | < 18.2.8-r4 | 18.2.8-r4 | Jan 14, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes prox | ||
| CVE-2025-3950 | — | < 18.2.8-r4 | 18.2.8-r4 | Jan 9, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection. | ||
| CVE-2025-9222 | — | < 18.2.8-r4 | 18.2.8-r4 | Jan 9, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown. | ||
| CVE-2025-10569 | — | < 18.2.8-r4 | 18.2.8-r4 | Jan 9, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls. | ||
| CVE-2025-11246 | — | < 18.2.8-r4 | 18.2.8-r4 | Jan 9, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating | ||
| CVE-2025-12029 | — | < 18.2.8-r4 | 18.2.8-r4 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by in | ||
| CVE-2025-12734 | — | < 18.2.8-r4 | 18.2.8-r4 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HT | ||
| CVE-2025-4097 | — | < 18.2.8-r4 | 18.2.8-r4 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images. | ||
| CVE-2025-8405 | — | < 18.2.8-r4 | 18.2.8-r4 | Dec 11, 2025 | GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML int | ||
| CVE-2025-11984 | — | < 18.2.8-r4 | 18.2.8-r4 | Dec 11, 2025 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain con |
- CVE-2026-1182Mar 12, 2026affected < 18.2.8-r5fixed 18.2.8-r5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.14 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to gain unauthorized access to confidential issue title created in public projects under certain
- CVE-2026-0595Feb 11, 2026affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML in
- CVE-2026-1458Feb 11, 2026affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files.
- affected < 18.2.8-r5fixed 18.2.8-r5
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-61732Feb 5, 2026affected < 18.2.8-r5fixed 18.2.8-r5
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
- CVE-2025-61728Jan 28, 2026affected < 18.2.8-r5fixed 18.2.8-r5
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
- CVE-2025-61726Jan 28, 2026affected < 18.2.8-r5fixed 18.2.8-r5
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
- CVE-2025-61730Jan 28, 2026affected < 18.2.8-r5fixed 18.2.8-r5
During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor i
- CVE-2025-61731Jan 28, 2026affected < 18.2.8-r5fixed 18.2.8-r5
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can
- CVE-2025-68119Jan 28, 2026affected < 18.2.8-r5fixed 18.2.8-r5
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are
- CVE-2025-11224Jan 14, 2026affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes prox
- CVE-2025-3950Jan 9, 2026affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.
- CVE-2025-9222Jan 9, 2026affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.
- CVE-2025-10569Jan 9, 2026affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls.
- CVE-2025-11246Jan 9, 2026affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating
- CVE-2025-12029Dec 11, 2025affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by in
- CVE-2025-12734Dec 11, 2025affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HT
- CVE-2025-4097Dec 11, 2025affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images.
- CVE-2025-8405Dec 11, 2025affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML int
- CVE-2025-11984Dec 11, 2025affected < 18.2.8-r4fixed 18.2.8-r4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain con
Page 1 of 3