Vulnerabilities are handled in GitLab Community Edition and Enterprise Edition

GitLab has identified several vulnerabilities in the GitLab Community Edition and Enterprise Edition, specifically in versions 12.7 through 18.10.7, 18.11 through 18.11.4, and 19.0 through 19.0.1. These vulnerabilities relate to various aspects of authentication, authorization, and validation...

Silent Consent, Persistent Risk: Android Permission Groups and Custom Permissions

Android's permission system is designed to balance usability with informed consent, yet two legacy mechanisms still undermine that balance in Android 16: i permission groups that silently auto-grant new permissions within a group after a user's initial approval, and ii normal-level custom...

BIT-GITLAB-2026-3073 Authorization Bypass Through User-Controlled Key in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload restricted packages due to...

CVE-2026-3073 Authorization Bypass Through User-Controlled Key in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload restricted packages due to...

CVE-2026-7481 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to execute arbitrary JavaScript in other users' browsers due to improper input...

PT-2026-40859

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 17.10 through 18.9.6 GitLab CE/EE versions 18.10 through 18.10.5 GitLab CE/EE versions 18.11 through 18.11.2 Description An improper authorization check allows an authenticated user with developer-role permissions to dele...

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the Twig sandbox security policy, which permits database write operations even when safe mode is enabled. An attacker with Developer permissions can modify, insert, or delete data in any database...

GHSA-H6JM-F4HH-FW27 October CMS has Safe Mode Bypass via Twig Database Write Operations

A vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safemode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query...

CVE-2026-26274

October is a Content Management System CMS and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safemode is enabled. Backend users with Developer permissions could use Twig template markup ...

CVE-2026-26274 October: Safe Mode Bypass via Twig Database Write Operations

October is a Content Management System CMS and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safemode is enabled. Backend users with Developer permissions could use Twig template markup ...

CVE-2026-26274 October: Safe Mode Bypass via Twig Database Write Operations

October is a Content Management System CMS and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safemode is enabled. Backend users with Developer permissions could use Twig template markup ...

PT-2026-34003

Name of the Vulnerable Software and Affected Versions October versions prior to 3.7.14 October versions prior to 4.1.10 Description A flaw in the Twig sandbox security policy allows database write operations when cms.safe mode is enabled. Backend users with Developer permissions can use Twig...

BIT-GITLAB-2026-1752 Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in t...

PT-2026-31541

Name of the Vulnerable Software and Affected Versions GitLab EE versions 11.3 through 18.8.9, 18.9 through 18.9.5, and 18.10 through 18.10.3 Description GitLab EE was found to have improper authorization checks in the API. This allowed an authenticated user with developer-role permissions to modi...

CVE-2025-14103

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions...

CVE-2025-12743

The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database. The schemas parameter is vulnerable to SQL injection, enabling attackers to manipulate SELECT...

CVE-2025-12743

CVE-2025-12743 affects Looker: the project-generation endpoint (creating new projects from database connections) accepts a reserved internal name "looker" and the schemas parameter is vulnerable to SQL injection. This allows users with developer permissions to manipulate SELECT queries against Lo...

EUVD-2019-13420

Malware in sbrugna...

GitLab 安全漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD Continuous Integration and Continuous Delivery, and other features. A security vulnerability exists in Gitlab CE/EE that stems from allowing...

Design/Logic Flaw

Cloud Foundry Routing Release, all versions prior to 0.188.0, contains a vulnerability that can hijack the traffic to route services hosted outside the platform. A user with space developer permissions can create a private domain that shadows the external domain of the route service, and map that...