BIT-GITLAB-2025-5819 Incorrect Permission Assignment for Critical Resource in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances...

CVE-2025-5819

An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances...

Malicious code in taxjar-developers (npm)

The package taxjar-developers was found to contain malicious code...

MAL-2025-34584 Malicious code in taxjar-developers (npm)

The package taxjar-developers was found to contain malicious code...

GitLab 15.7 < 18.0.6 / 18.1 < 18.1.4 / 18.2 < 18.2.2 (CVE-2025-5819)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer acces...

CVE-2025-5819

An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances...

CVE-2025-5819 Incorrect Permission Assignment for Critical Resource in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances...

CVE-2025-5819 Incorrect Permission Assignment for Critical Resource in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances...

CVE-2025-5819

CVE-2025-5819 affects GitLab CE/EE versions 15.7–before 18.0.6, 18.1–before 18.1.4, and 18.2–before 18.2.2. The issue allows authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances. The provided documents confirm the affected versions and t...

What Security Should Look Like When Built for Developers

Security tools should support the way developers actually work. Here’s how we’re reimagining what that looks like...

cherry 代码注入漏洞

cherry is an HTTP server for Chee Personal Developers. A code injection vulnerability exists in cherry versions 1.4.8 through 1.5.0, which stems from improper handling of custom URLs and could lead to remote code execution...

pybbs 安全漏洞

pybbs is a community platform for Java development by iuiu individual developers. A security vulnerability exists in pybbs 6.0.0 and earlier versions, which stems from a guessable CAPTCHA issue in the function adminlogin/login in the CAPTCHA handling component...

ELADMIN 安全漏洞

ELADMIN is a backend management system for elunez individual developers. A security vulnerability exists in ELADMIN 2.7 and earlier versions, which stems from the use of default credentials that allow an attacker to remotely log in directly and disclose sensitive information...

MINI-8W3M-F3JR-MXXP

Bulletin has no description...

EncryptHub Targets Web3 Developers Using Fake AI Platforms to Deploy Fickle Stealer Malware

The financially motivated threat actor known as EncryptHubaka LARVA-208 and Water Gamayun has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware. "LARVA-208 has evolved its tactics, using fake AI platforms e.g., Norlax AI, mimicking...

OAuth Dynamic Client Registration Permissive Redirect URI

OAuth Dynamic Client Registration requires specifying redirect URIs during the registration process. When the OAuth server accepts permissive redirect URIs, such as those allowing arbitrary hosts or ones starting with javascript://, an attacker could exploit this to perform Open Redirect or...

OAuth Dynamic Client Registration Permissive Metadata Field

OAuth Dynamic Client Registration allows for various metadata fields such as 'clientname', 'websiteuri' during the registration process. When the OAuth server accepts permissive values for such fields, such as ones starting with javascript://, an attacker could exploit this to perform Cross-Site...

arxiv-daily 路径遍历漏洞

arxiv-daily is an automated paper updater for OMAR Individual Developers. A security vulnerability exists in arxiv-daily version 2025-05-06, which stems from a directory traversal vulnerability when parsing the topic.yml file...

CVE-2025-45582

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file,...

gorobbs 路径遍历漏洞

gorobbs is a full-text search engine by letseeqiji's individual developers. A path traversal vulnerability exists in gorobbs 1.0.8 and earlier versions, which stems from a path traversal caused by the parameter filename operation...