VYPR

apk package

chainguard/gitlab-workhorse-ce-fips-18.11

pkg:apk/chainguard/gitlab-workhorse-ce-fips-18.11

Vulnerabilities (33)

  • CVE-2026-39823MedMay 7, 2026
    affected < 18.11.2-r4fixed 18.11.2-r4

    CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le

  • CVE-2026-39820HigMay 7, 2026
    affected < 18.11.2-r4fixed 18.11.2-r4

    Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

  • CVE-2026-39819MedMay 7, 2026
    affected < 18.11.2-r4fixed 18.11.2-r4

    The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

  • CVE-2026-39817MedMay 7, 2026
    affected < 18.11.2-r4fixed 18.11.2-r4

    The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

  • CVE-2026-33814HigMay 7, 2026
    affected < 18.11.2-r5fixed 18.11.2-r5

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-33811HigMay 7, 2026
    affected < 18.11.2-r4fixed 18.11.2-r4

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2026-33813HigApr 21, 2026
    affected < 0fixed 0

    Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.

  • CVE-2026-33812MedApr 21, 2026
    affected < 0fixed 0

    Parsing a malicious font file can cause excessive memory allocation.

  • CVE-2026-39883HigApr 8, 2026
    affected < 18.11.2-r2fixed 18.11.2-r2

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-39882MedApr 8, 2026
    affected < 18.11.2-r2fixed 18.11.2-r2

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e

  • CVE-2026-29181HigApr 7, 2026
    affected < 18.11.2-r2fixed 18.11.2-r2

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many bagg

  • CVE-2026-34986HigApr 6, 2026
    affected < 18.11.2-r1fixed 18.11.2-r1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-33809MedMar 25, 2026
    affected < 18.11.2-r3fixed 18.11.2-r3

    A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

Page 2 of 2