CVE-2024-2800

ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking...

PT-2026-1693

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 15.4 through 18.5.4 GitLab CE/EE versions 18.6 through 18.6.2 GitLab CE/EE versions 18.7 through 18.7.0 Description An authenticated user with specific permissions could remove all project runners from unrelated projects ...

BIT-GITLAB-2025-14157 Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters...

CVE-2025-12734

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HTML content into...

CVE-2025-11247

GitLab has remediated an issue in GitLab EE affecting all versions from 13.2 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to disclose sensitive information from private projects by executing specifically crafted GraphQL queries...

CVE-2025-12029 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious...

CVE-2025-12029 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious...

CVE-2025-8405

GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability...

CVE-2025-13978

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests...

CVE-2025-4097 Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images...

CVE-2025-13978

CVE-2025-13978 affects GitLab CE/EE, impacting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2. An authenticated user could discover the names of private projects they are not authorized to access via API requests. The vulnerability has been remediated by GitLab i...

CVE-2025-13611

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.5.5 and 18.6 before 18.6.3 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions...

CVE-2025-7449

GitLab CVE-2025-7449 affects GitLab CE/EE versions 8.3 through before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1. The vulnerability enables an authenticated user with specific permissions to cause a Denial of Service via HTTP response processing. The issue has been remediated through patc...

CVE-2025-12653

Affected products/versions: GitLab CE/EE 18.3–18.4.5, 18.5–18.5.3, and 18.6–18.6.1. Vulnerability: unauthenticated users could join arbitrary organizations by altering headers on certain requests. Root cause / vector: manipulation of request headers leading to org-join authorization bypass (per t...

CVE-2025-12653 Authentication Bypass by Spoofing in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests...

CVE-2025-13611

GitLab CVE-2025-13611 affects GitLab CE/EE versions 13.2 to 18.4.5, 18.5 to 18.5.3, and 18.6 to 18.6.1. An authenticated user with access to certain logs could obtain sensitive tokens under specific conditions. The issue has been remediated by patches in GitLab, with fixed releases noted as 18.6....

BIT-GITLAB-2025-6945 Improper Neutralization of Special Elements used in a Command ('Command Injection') in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 17.8 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to leak sensitive information from confidential issues by injecting hidden prompts into merge request comments...

Vulnerabilities fixed in GitLab

GitLab has fixed vulnerabilities in GitLab CE/EE versions for 18.3.6, 18.4.4, and 18.5.2. The vulnerabilities include the ability for attackers to remove Duo authentication flows, access sensitive information via GraphQL subscriptions, and bypass access controls on GitLab Pages. These...

CVE-2025-12983 Memory Allocation with Excessive Size Value in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to cause a denial of service condition by submitting specially crafted markdown content with nested formattin...

CVE-2025-7736

Technical details about CVE-2025-7736 are not publicly available in the provided connected documents. The initial record includes remediation notes but no explicit affected versions, root cause, exploit details, or patch specifics beyond the GitLab patch release. Monitor for updates.