VYPR

apk package

wolfi/gitea

pkg:apk/wolfi/gitea

Vulnerabilities (44)

  • CVE-2026-45571May 19, 2026
    affected < 1.26.2-r0fixed 1.26.2-r0

    ### Impact A path validation issue in `go-git` could allow crafted repository data to affect files outside the intended checkout target, including the repository's `.git` directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-g

  • CVE-2026-45570lowMay 19, 2026
    affected < 1.26.2-r0fixed 1.26.2-r0

    ### Impact `go-git`'s SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through `sq_quote_buf` so that an embedd

  • CVE-2026-45022higMay 11, 2026
    affected < 1.25.5-r9fixed 1.25.5-r9

    ### Impact `go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`’s decoded representation may expose values differently from how Git itself would interpret or reject the sa

  • CVE-2026-41506MedMay 8, 2026
    affected < 1.25.5-r5fixed 1.25.5-r5

    go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0

  • CVE-2026-33814HigMay 7, 2026
    affected < 1.25.5-r8fixed 1.25.5-r8

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-32952MedApr 24, 2026
    affected < 1.25.5-r6fixed 1.25.5-r6

    go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc

  • CVE-2026-33813HigApr 21, 2026
    affected < 1.26.1-r1fixed 1.26.1-r1

    Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.

  • CVE-2026-33812MedApr 21, 2026
    affected < 0fixed 0

    Parsing a malicious font file can cause excessive memory allocation.

  • CVE-2026-32289MedApr 8, 2026
    affected < 1.25.5-r4fixed 1.25.5-r4

    Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect es

  • CVE-2026-32288MedApr 8, 2026
    affected < 1.25.5-r4fixed 1.25.5-r4

    tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

  • CVE-2026-32283HigApr 8, 2026
    affected < 1.25.5-r4fixed 1.25.5-r4

    If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

  • CVE-2026-32282MedApr 8, 2026
    affected < 0fixed 0

    On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R

  • CVE-2026-32281HigApr 8, 2026
    affected < 1.25.5-r4fixed 1.25.5-r4

    Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C

  • CVE-2026-32280HigApr 8, 2026
    affected < 1.25.5-r4fixed 1.25.5-r4

    During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls

  • CVE-2026-27140HigApr 8, 2026
    affected < 1.25.5-r4fixed 1.25.5-r4

    SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

  • CVE-2026-33817Apr 6, 2026
    affected < 0fixed 0

    Rejected reason: CVE confirmed to be a false positive

  • CVE-2026-34165MedMar 31, 2026
    affected < 1.25.5-r3fixed 1.25.5-r3

    go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re

  • CVE-2026-33762LowMar 31, 2026
    affected < 1.25.5-r3fixed 1.25.5-r3

    go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t

  • CVE-2026-33809MedMar 25, 2026
    affected < 0fixed 0

    A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

  • CVE-2026-33186CriMar 20, 2026
    affected < 1.25.5-r1fixed 1.25.5-r1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

Page 1 of 3