VYPR

apk package

wolfi/gitlab-runner-18.11

pkg:apk/wolfi/gitlab-runner-18.11

Vulnerabilities (26)

  • CVE-2026-39827MedMay 22, 2026
    affected < 18.11.3-r4fixed 18.11.3-r4

    An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state

  • CVE-2026-41506MedMay 8, 2026
    affected < 18.11.2-r0fixed 18.11.2-r0

    go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0

  • CVE-2026-33814HigMay 7, 2026
    affected < 18.11.2-r3fixed 18.11.2-r3

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-32952MedApr 24, 2026
    affected < 18.11.2-r4fixed 18.11.2-r4

    go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc

  • CVE-2026-35469HigApr 16, 2026
    affected < 18.11.2-r2fixed 18.11.2-r2

    spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count,

  • CVE-2025-15558Mar 4, 2026
    affected < 0fixed 0

    Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are

Page 2 of 2