Arbitrary Code Injection Affecting gitlab-rails-ce-fips-18.11 package, versions <18.11.6-r1


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

Social Trends
EPSS
0.71% (49th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-GITLABRAILSCEFIPS1811-17675740
  • published29 Jun 2026
  • disclosed27 Mar 2026

Introduced: 27 Mar 2026

CVE-2026-33938  (opens in a new tab)
CWE-94  (opens in a new tab)
CWE-843  (opens in a new tab)

How to fix?

Upgrade Chainguard gitlab-rails-ce-fips-18.11 to version 18.11.6-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream gitlab-rails-ce-fips-18.11 package and not the gitlab-rails-ce-fips-18.11 package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the @partial-block special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites @partial-block with a crafted Handlebars AST, a subsequent invocation of {{&gt; @partial-block}} compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (require(&#39;handlebars/runtime&#39;)). The compile() method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as handlebars-helpers) in contexts where templates or context data can be influenced by untrusted input.

CVSS Base Scores

version 3.1