gitlab-rails-ce-18.11

Direct Vulnerabilities

Known vulnerabilities in the gitlab-rails-ce-18.11 package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free
VulnerabilityVulnerable Version
  • M
Directory Traversal

<18.11.6-r12
  • M
Improper Handling of Unicode Encoding

<18.11.6-r12
  • L
GHSA-qffp-2rhf-9h96

<18.11.6-r12
  • L
GHSA-r6q2-hw4h-h46w

<18.11.6-r12
  • M
Directory Traversal

<18.11.6-r12
  • L
Interpretation Conflict

<18.11.6-r12
  • H
Directory Traversal

<18.11.6-r12
  • L
Directory Traversal

<18.11.6-r12
  • L
GHSA-vmf3-w455-68vh

<18.11.6-r12
  • L
GHSA-8qq5-rm4j-mr97

<18.11.6-r12
  • L
GHSA-9ppj-qmqm-q256

<18.11.6-r12
  • L
GHSA-83g3-92jg-28cx

<18.11.6-r12
  • L
GHSA-34x7-hfp2-rc4v

<18.11.6-r12
  • M
Directory Traversal

<18.11.6-r12
  • C
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

<18.11.6-r11
  • L
GHSA-rf6f-7fwh-wjgh

<18.11.6-r11
  • L
GHSA-25h7-pfq9-p65f

<18.11.6-r11
  • L
Uncontrolled Recursion

<18.11.6-r11
  • L
GHSA-22p9-wv53-3rq4

<18.11.6-r10
  • L
Inefficient Regular Expression Complexity

<18.11.6-r10
  • L
GHSA-w7jw-789q-3m8p

<18.11.6-r8
  • L
CVE-2026-9277

<18.11.6-r8
  • L
GHSA-fvcv-3m26-pcqx

<18.11.6-r7
  • H
Uncontrolled Recursion

<18.11.6-r7
  • L
GHSA-f6ww-3ggp-fr8h

<18.11.6-r7
  • C
Unintended Proxy or Intermediary ('Confused Deputy')

<18.11.6-r7
  • L
Allocation of Resources Without Limits or Throttling

<18.11.6-r7
  • L
Improper Encoding or Escaping of Output

<18.11.6-r7
  • L
XML Injection

<18.11.6-r7
  • L
GHSA-5xrq-8626-4rwp

<18.11.6-r7
  • L
GHSA-3v7f-55p6-f55p

<18.11.6-r7
  • L
GHSA-3ppc-4f35-3m26

<18.11.6-r7
  • L
CVE-2026-12143

<18.11.6-r7
  • L
Unintended Proxy or Intermediary ('Confused Deputy')

<18.11.6-r7
  • L
GHSA-5prr-v3j2-97mh

<18.11.6-r7
  • L
GHSA-v62p-rq8g-8h59

<18.11.6-r7
  • L
Server-Side Request Forgery (SSRF)

<18.11.6-r6
  • L
Permissive Whitelist

<18.11.6-r7
  • L
GHSA-48c2-rrv3-qjmp

<18.11.6-r7
  • L
GHSA-445q-vr5w-6q77

<18.11.6-r7
  • L
GHSA-5c9x-8gcm-mpgx

<18.11.6-r7
  • H
Server-Side Request Forgery (SSRF)

<18.11.6-r7
  • L
GHSA-898c-q2cr-xwhg

<18.11.6-r7
  • L
GHSA-65ch-62r8-g69g

<18.11.6-r7
  • C
Permissive Whitelist

<18.11.6-r7
  • M
Integer Overflow or Wraparound

<18.11.6-r7
  • L
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

<18.11.6-r7
  • L
Resource Exhaustion

<18.11.6-r7
  • L
GHSA-xhjh-pmcv-23jw

<18.11.6-r7
  • L
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

<18.11.6-r7
  • H
Information Exposure

<18.11.6-r7
  • L
CVE-2025-12816

<18.11.6-r7
  • L
GHSA-43fc-jf86-j433

<18.11.6-r7
  • L
GHSA-3g43-6gmg-66jw

<18.11.6-r7
  • L
GHSA-23c5-xmqv-rm74

<18.11.6-r7
  • L
GHSA-j5f8-grm9-p9fc

<18.11.6-r7
  • L
GHSA-wjv4-x9w8-wm3h

<18.11.6-r7
  • H
Uncontrolled Recursion

<18.11.6-r7
  • L
Uncontrolled Recursion

<18.11.6-r7
  • L
GHSA-554w-wpv2-vw27

<18.11.6-r7
  • L
GHSA-62hf-57xw-28j9

<18.11.6-r7
  • L
XML Injection

<18.11.6-r7
  • L
GHSA-xhf5-7wjv-pqxp

<18.11.6-r7
  • L
GHSA-p67v-3w7g-wjg7

<18.11.6-r7
  • M
HTTP Response Splitting

<18.11.6-r7
  • L
GHSA-777c-7fjr-54vf

<18.11.6-r7
  • H
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

<18.11.6-r7
  • L
GHSA-pjwm-pj3p-43mv

<18.11.6-r6
  • L
GHSA-h7cp-r72f-jxh6

<18.11.6-r7
  • L
HTTP Response Splitting

<18.11.6-r7
  • L
Allocation of Resources Without Limits or Throttling

<18.11.6-r7
  • L
Arbitrary Code Injection

<18.11.6-r7
  • L
GHSA-hmw2-7cc7-3qxx

<18.11.6-r7
  • L
CVE-2026-47262

<18.11.6-r7
  • L
GHSA-q67f-28xg-22rw

<18.11.6-r7
  • L
CVE-2025-6545

<18.11.6-r7
  • L
GHSA-c2c7-rcm5-vvqj

<18.11.6-r7
  • L
GHSA-j759-j44w-7fr8

<18.11.6-r7
  • L
Improper Verification of Cryptographic Signature

<18.11.6-r7
  • L
GHSA-q8qp-cvcw-x6jj

<18.11.6-r7
  • L
GHSA-pf86-5x62-jrwf

<18.11.6-r7
  • L
CRLF Injection

<18.11.6-r7
  • L
GHSA-9cv2-cfxc-v4v2

<18.11.6-r7
  • L
GHSA-2328-f5f3-gj25

<18.11.6-r7
  • M
Improper Authentication

<18.11.6-r7
  • L
Improper Check for Unusual or Exceptional Conditions

<18.11.6-r7
  • L
GHSA-5m6q-g25r-mvwx

<18.11.6-r7
  • L
GHSA-q7cg-457f-vx79

<18.11.6-r7
  • L
Allocation of Resources Without Limits or Throttling

<18.11.6-r7
  • L
GHSA-3p68-rc4w-qgx5

<18.11.6-r7
  • L
GHSA-wh4c-j3r5-mjhp

<18.11.6-r7
  • L
GHSA-w9j2-pvgh-6h63

<18.11.6-r7
  • L
GHSA-ppp5-5v6c-4jwp

<18.11.6-r7
  • H
Inefficient Regular Expression Complexity

<18.11.6-r7
  • L
CVE-2025-6547

<18.11.6-r7
  • L
GHSA-phwj-rprq-35pp

<18.11.6-r7
  • L
XML Injection

<18.11.6-r7
  • L
Loop with Unreachable Exit Condition ('Infinite Loop')

<18.11.6-r7
  • L
Inefficient Regular Expression Complexity

<18.11.6-r7
  • L
GHSA-r4q5-vmmm-2653

<18.11.6-r7
  • L
GHSA-2v35-w6hq-6mfw

<18.11.6-r7
  • L
Improper Input Validation

<18.11.6-r7
  • L
GHSA-8678-w3jw-xfc2

<18.11.6-r7
  • L
GHSA-5v8h-3h3q-446p

<18.11.6-r7
  • C
Improperly Controlled Modification of Dynamically-Determined Object Attributes

<18.11.6-r7
  • C
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

<18.11.6-r7
  • L
Improper Input Validation

<18.11.6-r7
  • L
GHSA-vf2m-468p-8v99

<18.11.6-r7
  • L
GHSA-hfxv-24rg-xrqf

<18.11.6-r7
  • L
GHSA-jpcc-p29g-p8mq

<18.11.6-r7
  • L
Allocation of Resources Without Limits or Throttling

<18.11.6-r7
  • L
Uncontrolled Recursion

<18.11.6-r7
  • L
GHSA-xx6v-rp6x-q39c

<18.11.6-r7
  • L
Improper Input Validation

<18.11.6-r7
  • L
GHSA-3w6x-2g7m-8v23

<18.11.6-r7
  • L
GHSA-m7pr-hjqh-92cm

<18.11.6-r7
  • L
Information Exposure

<18.11.6-r7
  • L
GHSA-6chq-wfr3-2hj9

<18.11.6-r7
  • L
GHSA-5gfm-wpxj-wjgq

<18.11.6-r7
  • L
GHSA-wfpw-mmfh-qq69

<18.11.6-r7
  • L
GHSA-64mm-vxmg-q3vj

<18.11.6-r7
  • L
GHSA-pmwg-cvhr-8vh7

<18.11.6-r7
  • L
GHSA-35jp-ww65-95wh

<18.11.6-r7
  • C
Improper Certificate Validation

<18.11.6-r7
  • L
Uncaught Exception

<18.11.6-r7
  • L
GHSA-7r86-cg39-jmmj

<18.11.6-r7
  • L
GHSA-p92q-9vqr-4j8v

<18.11.6-r7
  • L
Directory Traversal

<18.11.6-r7
  • L
XML Injection

<18.11.6-r7
  • L
GHSA-4hjh-wcwx-xvwj

<18.11.6-r7
  • L
GHSA-x6wf-f3px-wcqx

<18.11.6-r7
  • L
Inefficient Regular Expression Complexity

<18.11.6-r7
  • L
Algorithmic Complexity

<18.11.6-r7
  • L
GHSA-fjxv-7rqg-78g4

<18.11.6-r6
  • L
CVE-2025-7783

<18.11.6-r6
  • C
CVE-2025-9287

<18.11.6-r5
  • L
GHSA-cpq7-6gpm-g9rc

<18.11.6-r5
  • L
GHSA-95m3-7q98-8xr5

<18.11.6-r4
  • C
CVE-2025-9288

<18.11.6-r4
  • L
CVE-2026-50195

<18.11.6-r3
  • L
Symlink Following

<18.11.6-r3
  • L
GHSA-rgh6-rfwx-v388

<18.11.6-r3
  • L
Improper Input Validation

<18.11.6-r3
  • L
GHSA-cvxm-645q-p574

<18.11.6-r3
  • L
GHSA-33vj-92qq-66hc

<18.11.6-r3
  • M
Cross-site Scripting (XSS)

<18.11.6-r2
  • L
GHSA-3mfm-83xf-c92r

<18.11.6-r2
  • L
Improper Check for Unusual or Exceptional Conditions

<18.11.6-r2
  • L
Arbitrary Code Injection

<18.11.6-r2
  • L
Arbitrary Code Injection

<18.11.6-r2
  • L
GHSA-9cx6-37pm-9jff

<18.11.6-r2
  • L
GHSA-xhpv-hc6g-r9c6

<18.11.6-r2
  • H
Cross-site Scripting (XSS)

<18.11.6-r2
  • L
GHSA-442j-39wm-28r2

<18.11.6-r2
  • L
Arbitrary Code Injection

<18.11.6-r2
  • L
GHSA-xjpj-3mr7-gcpf

<18.11.6-r2
  • L
GHSA-7rx3-28cr-v5wh

<18.11.6-r2
  • L
GHSA-2w6w-674q-4c4q

<18.11.6-r2
  • L
GHSA-2qvq-rjwj-gvw9

<18.11.6-r2
  • L
GHSA-5wrp-cwcj-q835

<18.11.6-r1
  • L
GHSA-hfvc-g4fc-pqhx

<18.11.6-r1
  • H
Untrusted Search Path

<18.11.6-r1
  • L
Uncontrolled Memory Allocation

<18.11.6-r1
  • L
GHSA-3p65-76g6-3w7r

<18.11.6-r0
  • M
Incorrect Authorization

<18.11.6-r0
  • L
GHSA-f2g3-hh2r-cwgc

<18.11.6-r0
  • L
Server-Side Request Forgery (SSRF)

<18.11.6-r0
  • L
Improper Access Control

<18.11.6-r0
  • L
GHSA-6pjf-3r9x-m592

<18.11.6-r0
  • L
Server-Side Request Forgery (SSRF)

<18.11.5-r2
  • L
GHSA-33mh-2634-fwr2

<18.11.5-r2
  • L
Uncontrolled Recursion

<18.11.5-r2
  • L
GHSA-98m9-hrrm-r99r

<18.11.5-r2
  • M
Server-Side Request Forgery (SSRF)

<18.11.5-r2
  • L
GHSA-5rv5-xj5j-3484

<18.11.5-r2
  • C
Directory Traversal

<18.11.5-r1
  • L
GHSA-84xv-jfrm-h4gm

<18.11.5-r1
  • L
GHSA-c32j-vqhx-rx3x

<18.11.5-r0
  • L
Improper Neutralization

<18.11.5-r0
  • L
Resource Exhaustion

<18.11.5-r1
  • L
Authentication Bypass

<18.11.5-r1
  • L
GHSA-c4fp-cxrr-mj66

<18.11.5-r0
  • L
Arbitrary Command Injection

<18.11.5-r0
  • L
Improper Authentication

<18.11.5-r0
  • L
GHSA-2vqw-3mp8-cgmx

<18.11.5-r1
  • L
GHSA-qpgp-93vx-g8v8

<18.11.5-r1
  • L
GHSA-8p34-64r3-mwg8

<18.11.5-r0
  • L
Arbitrary Command Injection

<18.11.5-r0
  • L
GHSA-46q3-7gv7-qmgg

<18.11.5-r0
  • L
GHSA-v2fc-qm4h-8hqv

<18.11.5-r0
  • L
GHSA-c4rq-3m3g-8wgx

<18.11.5-r0
  • L
GHSA-h3gm-q7m7-mp28

<18.11.4-r1
  • L
GHSA-4279-q6mj-392r

<18.11.4-r1
  • L
CVE-2026-42507

<18.11.4-r1
  • L
CVE-2026-27145

<18.11.4-r1
  • L
Directory Traversal

<18.11.3-r3
  • L
GHSA-crhj-59gh-8x96

<18.11.3-r3
  • L
GHSA-m7cr-m3pv-hgrp

<18.11.3-r3
  • C
Improper Encoding or Escaping of Output

<18.11.3-r3
  • L
Improper Privilege Management

<18.11.3-r2
  • L
GHSA-fqw6-gf59-qr4w

<18.11.3-r2
  • L
GHSA-75xq-5h9v-w6px

<18.11.3-r1
  • L
GHSA-q2mw-fvj9-vvcw

<18.11.3-r1
  • C
Arbitrary Command Injection

<18.11.3-r1
  • L
GHSA-vcgp-9326-pqcp

<18.11.3-r1
  • C
Arbitrary Command Injection

<18.11.3-r1
  • M
Allocation of Resources Without Limits or Throttling

<18.11.3-r1
  • H
Missing Report of Error Condition

<18.11.3-r1
  • L
GHSA-87pf-fpwv-p7m7

<18.11.3-r1
  • H
Algorithmic Complexity

<18.11.3-r1
  • L
GHSA-hm49-wcqc-g2xg

<18.11.3-r1
  • L
Allocation of Resources Without Limits or Throttling

<18.11.3-r0
  • L
GHSA-fqvq-p2gc-c297

<18.11.3-r0
  • L
Missing Authorization

<18.11.3-r0
  • L
GHSA-c73g-r4cp-2xmg

<18.11.3-r0
  • L
Uncontrolled Recursion

<18.11.2-r3
  • L
GHSA-m3xc-h892-ggx6

<18.11.2-r3
  • L
GHSA-qw64-3x98-g7q2

<18.11.2-r3
  • L
Directory Traversal

<18.11.2-r3
  • L
GHSA-389r-gv7p-r3rp

<18.11.2-r3
  • H
Incorrect Behavior Order: Validate Before Canonicalize

<18.11.2-r3
  • L
Allocation of Resources Without Limits or Throttling

<18.11.2-r2
  • L
GHSA-mh2q-q3fh-2475

<18.11.2-r2
  • L
GHSA-3xc5-wrhm-f963

<18.11.2-r2
  • H
Insufficiently Protected Credentials

<18.11.2-r2
  • M
Out-of-bounds Write

<18.11.2-r1
  • L
GHSA-qf3q-3h68-mmh2

<18.11.2-r1
  • H
Allocation of Resources Without Limits or Throttling

<18.11.2-r1
  • L
GHSA-8g2r-hhvj-mv99

<18.11.2-r1
  • M
Link Following

<18.11.2-r1
  • H
NULL Pointer Dereference

<18.11.2-r1
  • L
GHSA-7f3r-gwc9-2995

<18.11.2-r1
  • L
GHSA-hg3h-g7xc-f7vp

<18.11.2-r1
  • L
GHSA-p9h5-jm8x-mjm5

<18.11.2-r1
  • L
GHSA-jp94-3292-c3xv

<18.11.2-r1
  • L
CVE-2026-42501

<18.11.2-r1
  • L
GHSA-5m4p-2gjx-p2g8

<18.11.2-r1
  • H
Partial Comparison

<18.11.2-r1
  • L
GHSA-qc64-m6c2-v4x7

<18.11.2-r1
  • L
GHSA-xq5j-9r39-c3vf

<18.11.2-r1
  • L
Exposed Dangerous Method or Function

<18.11.2-r1
  • L
CVE-2026-42499

<18.11.2-r1
  • L
Open Redirect

<18.11.2-r1
  • H
Loop with Unreachable Exit Condition ('Infinite Loop')

<18.11.2-r1
  • L
Directory Traversal

<18.11.2-r1
  • L
GHSA-526f-jxpj-jmg2

<18.11.2-r1