apk package

chainguard/gitlab-rails-ce-fips-18.7

pkg:apk/chainguard/gitlab-rails-ce-fips-18.7

Vulnerabilities (42)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-44312	Med	5.8	< 18.7.6-r3	18.7.6-r3	May 14, 2026	css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL:
CVE-2026-40295	med	—	< 18.7.6-r3	18.7.6-r3	May 8, 2026	## Summary When the `Timeoutable` module is enabled in Devise, the `FailureApp#redirect_url` method returns `request.referrer` — the HTTP `Referer` header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker
CVE-2026-42501	Hig	7.5	< 18.7.6-r3	18.7.6-r3	May 7, 2026	A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
CVE-2026-42499	Hig	7.5	< 18.7.6-r3	18.7.6-r3	May 7, 2026	Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
CVE-2026-39836	Hig	7.5	< 18.7.6-r3	18.7.6-r3	May 7, 2026	The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
CVE-2026-39826	Med	6.1	< 18.7.6-r3	18.7.6-r3	May 7, 2026	If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
CVE-2026-39825	Med	5.3	< 18.7.6-r3	18.7.6-r3	May 7, 2026	ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
CVE-2026-39823	Med	6.1	< 18.7.6-r3	18.7.6-r3	May 7, 2026	CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le
CVE-2026-39820	Hig	7.5	< 18.7.6-r3	18.7.6-r3	May 7, 2026	Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
CVE-2026-39819	Med	5.3	< 18.7.6-r3	18.7.6-r3	May 7, 2026	The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
CVE-2026-39817	Med	5.9	< 18.7.6-r3	18.7.6-r3	May 7, 2026	The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
CVE-2026-33814	Hig	7.5	< 18.7.6-r3	18.7.6-r3	May 7, 2026	When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-33811	Hig	7.5	< 18.7.6-r3	18.7.6-r3	May 7, 2026	When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
CVE-2026-27142	Med	6.1	< 0	0	Mar 6, 2026	Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
CVE-2026-27139	Low	2.5	< 18.7.6-r0	18.7.6-r0	Mar 6, 2026	On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
CVE-2026-25679	Hig	7.5	< 18.7.6-r0	18.7.6-r0	Mar 6, 2026	url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2025-15558		—	< 0	0	Mar 4, 2026	Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are
CVE-2026-1229		—	< 18.7.6-r2	18.7.6-r2	Feb 24, 2026	The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
CVE-2026-0595		—	< 18.7.4-r0	18.7.4-r0	Feb 11, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML in
CVE-2026-1282		—	< 18.7.4-r0	18.7.4-r0	Feb 11, 2026	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles.

CVE-2026-44312MedMay 14, 2026
affected < 18.7.6-r3fixed 18.7.6-r3
css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL:
CVE-2026-40295medMay 8, 2026
affected < 18.7.6-r3fixed 18.7.6-r3
## Summary When the `Timeoutable` module is enabled in Devise, the `FailureApp#redirect_url` method returns `request.referrer` — the HTTP `Referer` header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker
CVE-2026-42501HigMay 7, 2026
affected < 18.7.6-r3fixed 18.7.6-r3
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
CVE-2026-42499HigMay 7, 2026
affected < 18.7.6-r3fixed 18.7.6-r3
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
CVE-2026-39836HigMay 7, 2026
affected < 18.7.6-r3fixed 18.7.6-r3
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
CVE-2026-39826MedMay 7, 2026
affected < 18.7.6-r3fixed 18.7.6-r3
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
CVE-2026-39825MedMay 7, 2026
affected < 18.7.6-r3fixed 18.7.6-r3
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
CVE-2026-39823MedMay 7, 2026
affected < 18.7.6-r3fixed 18.7.6-r3
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le
CVE-2026-39820HigMay 7, 2026
affected < 18.7.6-r3fixed 18.7.6-r3
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
CVE-2026-39819MedMay 7, 2026
affected < 18.7.6-r3fixed 18.7.6-r3
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
CVE-2026-39817MedMay 7, 2026
affected < 18.7.6-r3fixed 18.7.6-r3
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
CVE-2026-33814HigMay 7, 2026
affected < 18.7.6-r3fixed 18.7.6-r3
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-33811HigMay 7, 2026
affected < 18.7.6-r3fixed 18.7.6-r3
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
CVE-2026-27142MedMar 6, 2026
affected < 0fixed 0
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
CVE-2026-27139LowMar 6, 2026
affected < 18.7.6-r0fixed 18.7.6-r0
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
CVE-2026-25679HigMar 6, 2026
affected < 18.7.6-r0fixed 18.7.6-r0
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2025-15558Mar 4, 2026
affected < 0fixed 0
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are
CVE-2026-1229Feb 24, 2026
affected < 18.7.6-r2fixed 18.7.6-r2
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
CVE-2026-0595Feb 11, 2026
affected < 18.7.4-r0fixed 18.7.4-r0
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML in
CVE-2026-1282Feb 11, 2026
affected < 18.7.4-r0fixed 18.7.4-r0
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles.

Page 1 of 3