CVE-2025-6171

GitLab CVE-2025-6171 is a disclosed vulnerability in GitLab CE/EE that allowed an authenticated user with reporter access to view branch names and pipeline details via the Packages API endpoint even when repository access was disabled. Affected versions run from 13.2 up to before 18.3.6, 18.4 up ...

CVE-2025-6171 Missing Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even wh...

CVE-2025-6171 Missing Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even wh...

CVE-2025-11990 Improper Handling of URL Encoding (Hex Encoding) in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses...

CVE-2025-11990 Improper Handling of URL Encoding (Hex Encoding) in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses...

CVE-2025-11990

GitLab CVE-2025-11990 affects GitLab EE with affected versions 18.4 before 18.4.4 and 18.5 before 18.5.2. The issue arises from improper input validation in repository references combined with redirect handling weaknesses, enabling an authenticated user to obtain CSRF tokens. Remediation per conn...

CVE-2025-11990 Improper Handling of URL Encoding (Hex Encoding) in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses...

PT-2025-47048

Name of the Vulnerable Software and Affected Versions GitLab EE versions 18.4 through 18.4.3 GitLab EE versions 18.5 through 18.5.1 Description An authenticated user could obtain CSRF tokens due to improper input validation in repository references and redirect handling weaknesses. The issue...

HSEC-2023-0013 git-annex plaintext storage of embedded credentials on encrypted remotes

git-annex plaintext storage of embedded credentials on encrypted remotes git-annex had a bug in the S3 and Glacier remotes where if embedcreds=yes was set, and the remote used encryption=pubkey or encryption=hybrid, the embedded AWS credentials were stored in the Git repository in effectively...

HSEC-2023-0009 git-annex command injection via malicious SSH hostname

git-annex command injection via malicious SSH hostname git-annex was vulnerable to the same class of security hole as git's CVE-2017-1000117. In several cases, git-annex parses a repository URL, and uses it to generate a ssh command, with the hostname to ssh to coming from the URL. If the hostnam...

HSEC-2025-0005 cabal-install dependency confusion

cabal-install dependency confusion For cabal-install 3.4.0.0 and where multiple repositories are configured, the resolver picks the highest available version across all repositories. Where a package is only defined in a private repository, this behaviour leads to a dependency confusionblog supply...

[SECURITY] Fedora 43 Update: gh-2.83.0-1.fc43

A command-line interface to GitHub for use in your terminal or your scripts. gh is a tool designed to enhance your workflow when working with GitHub. It provides a seamless way to interact with GitHub repositories and perform vari ous actions right from the command line, eliminating the need to...

JetBrains YouTrack < 2025.3.104432 Multiple Vulnerabilities

The version of JetBrains YouTrack installed on the remote host is prior to 2025.2.92387. It is, therefore, affected by multiple vulnerabilities as referenced in the advisory. - In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure. CVE-2025-64685 - ...

BIT-ARGO-CD-2025-55191 Repository Credentials Race Condition Crashes Argo CD Server

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions between 2.1.0 and 2.14.19, 3.2.0, 3.1.0 through 3.1.7, and 3.0.0 through 3.0.18 contain a race condition in the repository credentials handler that can cause the Argo CD server to panic and crash when concurrent...

EUVD-2025-176622

Malicious code in robotics-cosmiconfig-repository-metabolomics npm...

EUVD-2025-179951

Malicious code in build-perseus-repository-asteroid npm...

EUVD-2025-178019

Malicious code in loop-cosmicray-repository-entanglement npm...

Malicious code in repository-reveal-md-multiverse-quasar (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de52f7052500891977e9b92278627f7cabde231989ddf59ee96489c8f19bf65a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-176684

Malicious code in request-slidev-jest-repository npm...

MAL-2025-187582 Malicious code in janus-repository-acamar-jekyll (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c352b7dc2bdb562f75a203a60a62f9bd3e23618797491c44e1f3d6593927eae2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...