21394 matches found
GHSA-JP94-3292-C3XV vulnerabilities
Vulnerabilities for packages: gitlab-rails-ce-fips, gitlab-rails-ce...
GHSA-8JR5-6GVJ-RFPF @yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools
SSE Transport Has No Authentication and Wildcard CORS, Exposing All 86 GitLab Tools Including Destructive Operations A review of mcp-gitlab-server at commit 80a7b4cf3fba6b55389c0ef491a48190f7c8996a uncovered that the SSE HTTP transport — advertised in the README and comparison table as a...
@yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools
SSE Transport Has No Authentication and Wildcard CORS, Exposing All 86 GitLab Tools Including Destructive Operations A review of mcp-gitlab-server at commit 80a7b4cf3fba6b55389c0ef491a48190f7c8996a uncovered that the SSE HTTP transport — advertised in the README and comparison table as a...
PT-2026-39306
Name of the Vulnerable Software and Affected Versions GitLab MCP Server versions prior to 0.6.0 Description The HTTP transport in src/transport.ts lacks an authentication layer and implements a wildcard Access-Control-Allow-Origin: header on all responses. This allows any cross-origin browser...
CVE-2026-42195
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to ope...
CVE-2026-42195 Unvalidated gitlab URL parameter redirects OAuth authorize step to attacker-controlled host
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to ope...
CVE-2026-42195 Unvalidated gitlab URL parameter redirects OAuth authorize step to attacker-controlled host
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to ope...
CVE-2026-42195
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to ope...
EUVD-2026-28833
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to ope...
CVE-2026-42195
The CVE describes a vulnerability in the draw.io client prior to version 29.7.9 where a ?gitlab= URL parameter can override the GitLab server URL used during OAuth sign-in. A crafted link can force the user’s click on the "Authorize in GitLab" dialog to open a popup on an attacker-controlled host...
GHSA-C4RQ-3M3G-8WGX vulnerabilities
Vulnerabilities for packages: ruby3.4-rails, pact-broker-docker-fips, pact-broker-docker, gitlab-rails-ce-fips, gitlab-rails-ce, ruby4.0-rails, ruby3.3-rails, ruby3.2-rails, kube-logging-operator...
CVE-2026-44312 vulnerabilities
Vulnerabilities for packages: gitlab-rails-ce, gitlab-rails-ce-fips...
GHSA-V2FC-QM4H-8HQV vulnerabilities
Vulnerabilities for packages: ruby3.4-rails, pact-broker-docker-fips, pact-broker-docker, gitlab-rails-ce-fips, gitlab-rails-ce, ruby4.0-rails, ruby3.3-rails, ruby3.2-rails, kube-logging-operator...
GHSA-FF6C-W6QF-7XQC vulnerabilities
Vulnerabilities for packages: gitlab-rails-ce, gitlab-rails-ce-fips...
CVE-2026-41636 vulnerabilities
Vulnerabilities for packages: gitlab-rails-ce...
GHSA-R67J-R569-JRWP vulnerabilities
Vulnerabilities for packages: gitlab-rails-ce...
PT-2026-39197
Name of the Vulnerable Software and Affected Versions draw.io versions prior to 29.7.9 Description The application accepts a gitlab URL parameter that overrides the GitLab server URL used during OAuth sign-in. An attacker can use a crafted link to cause the "Authorize in GitLab" dialog to open a...
draw.io 信息泄露漏洞
Draw.IO is an open-source configurable chart drawing and whiteboard application. Versions of Draw.IO prior to 29.7.9 had a vulnerability related to information leakage. This vulnerability occurred due to the URL parameter “gitlab” overriding the GitLab server URL used during OAuth login. As a...
CVE-2026-41889 vulnerabilities
Vulnerabilities for packages: teleport, openbao, steampipe, falcosidekick-fips, amass, falcosidekick, openfga-fips, spicedb-fips, temporal-server, argo-workflows, bento, caddy-fips, cloudprober, pgtimetable-fips, rke2-runtime, juicefs, seaweedfs-fips, timescaledb-parallel-copy, kube-bench,...
CVE-2026-41506 vulnerabilities
Vulnerabilities for packages: pulumi-language-yaml, teleport, google-osconfig-agent, steampipe, trivy, bom, argocd-image-updater, argo-cd, kargo, grafana-alloy, kubevela, flux-image-automation-controller-fips, osv-scanner, tfsec, commercial-chainloop-cli, pulumi-language-java, guac, argo-workflow...