VYPR

apk package

chainguard/gitlab-rails-ce-fips-18.9

pkg:apk/chainguard/gitlab-rails-ce-fips-18.9

Vulnerabilities (60)

  • CVE-2026-44740MedJun 1, 2026
    affected < 18.9.7-r1fixed 18.9.7-r1

    Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise

  • CVE-2026-44973HigMay 28, 2026
    affected < 18.9.7-r1fixed 18.9.7-r1

    Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories.

  • CVE-2026-45571MedMay 27, 2026
    affected < 18.9.7-r2fixed 18.9.7-r2

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These v

  • CVE-2026-45570CriMay 27, 2026
    affected < 18.9.7-r2fixed 18.9.7-r2

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A reposito

  • CVE-2026-45022HigMay 27, 2026
    affected < 18.9.7-r1fixed 18.9.7-r1

    go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representa

  • CVE-2026-40295MedMay 22, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validatio

  • CVE-2026-41888MedMay 14, 2026
    affected < 18.9.6-r1fixed 18.9.6-r1

    Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the storage.delete.enabled: false configuration, allowing any API client to remove tags from repositories even w

  • CVE-2026-42258CriMay 9, 2026
    affected < 18.9.6-r1fixed 18.9.6-r1

    Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issu

  • CVE-2026-42257CriMay 9, 2026
    affected < 18.9.6-r1fixed 18.9.6-r1

    Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived fro

  • CVE-2026-42256MedMay 9, 2026
    affected < 18.9.6-r1fixed 18.9.6-r1

    Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a com

  • CVE-2026-42246HigMay 9, 2026
    affected < 18.9.6-r1fixed 18.9.6-r1

    Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in

  • CVE-2026-42245HigMay 9, 2026
    affected < 18.9.6-r1fixed 18.9.6-r1

    Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send

  • CVE-2026-41506MedMay 8, 2026
    affected < 18.9.6-r1fixed 18.9.6-r1

    go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0

  • CVE-2026-42501HigMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser

  • CVE-2026-42499HigMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

  • CVE-2026-39836HigMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

  • CVE-2026-39826MedMay 7, 2026
    affected < 0fixed 0

    If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.

  • CVE-2026-39825MedMay 7, 2026
    affected < 0fixed 0

    ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa

  • CVE-2026-39823MedMay 7, 2026
    affected < 0fixed 0

    CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le

  • CVE-2026-39820HigMay 7, 2026
    affected < 18.9.6-r2fixed 18.9.6-r2

    Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Page 1 of 3