EUVD-2026-15804

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsisten...

CVE-2026-2745

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsisten...

CVE-2026-2745 Authentication Bypass Using an Alternate Path or Channel in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsisten...

CVE-2026-2745

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsisten...

CVE-2026-2745

GitLab CVE-2026-2745 affects GitLab CE/EE versions 7.11 up to 18.8.7, 18.8.x before 18.8.7; 18.9 before 18.9.3; and 18.10 before 18.10.1. The issue allowed an unauthenticated user to bypass WebAuthn two‑factor authentication and gain unauthorized access to user accounts due to inconsistent input ...

CVE-2026-2745 Authentication Bypass Using an Alternate Path or Channel in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsisten...

CVE-2026-2745

Removed by vendor...

PT-2026-27988

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 7.11 through 18.8.6 GitLab CE/EE versions 18.9 through 18.9.2 GitLab CE/EE versions 18.10 through 18.10.0 Description An issue existed in GitLab CE/EE where an unauthenticated user could bypass WebAuthn two-factor...

Gitlab -- vulnerabilities

Gitlab reports: Improper Handling of Parameters issue in Jira Connect installations impacts GitLab CE/EE Cross-Site Request Forgery issue in GLQL API impacts GitLab CE/EE HTML Injection in vulnerability report impacts GitLab EE Denial of Service issue in GraphQL API impacts GitLab CE/EE Improper...

GitLab 安全漏洞

GitLab is an end-to-end software development platform provided by the American company GitLab. It includes built-in features such as version control, issue tracking, code review, and CI/CD Continuous Integration and Delivery. Vulnerabilities exist in versions of GitLab CE/EE before 18.8.7, 18.9.3...

GitLab 7.11 < 18.8.7 / 18.9 < 18.9.3 / 18.10 < 18.10.1 (CVE-2026-2745)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass...

GHSA-G3QJ-J598-CXMQ fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing

Summary fido2-lib v3.x depends on cbor-x 1.6.0, which optionally pulls in cbor-extract C++ native addon. cbor-extract = 2.2.0 has a heap buffer over-read in extractStrings — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead. The crash triggers during...

WordPress WP-WebAuthn plugin <= 1.3.4 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by wesley wcraft in WordPress Plugin WP-WebAuthn versions = 1.3.4...

GHSA-5353-F8FQ-65VC New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure

Summary A logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. Affected versions = v0.10.0 Description The POST /api/verify endpoint supports multiple secure verification...

CVE-2026-32879

CVE-2026-32879 affects New API (LLM gateway/AI asset management). Beginning with version 0.10.0, a logic flaw in the universal secure verification flow lets an authenticated user with a registered passkey satisfy secure verification without completing a WebAuthn assertion. Exploitation status is ...

New API 授权问题漏洞

The New API is an interface software developed by QuantumNous. Versions of the New API starting from 0.10.0 have a vulnerability related to authorization. This vulnerability stems from logical flaws in the general security verification process, allowing authenticated users with registered...

EUVD-2025-208914

The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the wwaauth AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes logged by the plugin. This makes it...

CVE-2025-13910

The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the wwaauth AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes logged by the plugin. This makes it...

CVE-2025-13910

The CVE-2025-13910 entry affects the WP-WebAuthn WordPress plugin. All versions up to 1.3.4 are vulnerable to Unauthenticated Stored Cross-Site Scripting via the wwa_auth AJAX endpoint due to insufficient input sanitization and output escaping on user-supplied attributes logged by the plugin. Thi...

CVE-2025-13910 WP-WebAuthn <= 1.3.4 - Unauthenticated Stored Cross-Site Scripting

The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the wwaauth AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes logged by the plugin. This makes it...