CVE-2021-39911

An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers...

CVE-2021-39941

An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members...

CVE-2021-39909

Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval...

CVE-2021-39934

Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2...

CVE-2021-22168

A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8...

CVE-2020-13346

Membership changes are not reflected in ToDo subscriptions in GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, allowing guest users to access confidential issues through API...

CVE-2020-13357

An issue was discovered in Gitlab CE/EE versions = 13.1 to = 13.5 to = 13.6 to 13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project...

CVE-2020-26409

A DOS vulnerability exists in Gitlab CE/EE =10.3, =13.5, =13.6, 13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields...

CVE-2020-10082

GitLab 12.2 through 12.8.1 allows Denial of Service. A denial of service vulnerability impacting the designs for public issues was discovered...

CVE-2019-5468

An privilege escalation issue was discovered in Gitlab versions 12.1.2, 12.0.4, and 11.11.6 when Mattermost slash commands are used with a blocked account...

CVE-2019-5469

An IDOR vulnerability exists in GitLab v12.1.2, v12.0.4, and v11.11.6 that allowed uploading files from project archive to replace other users files potentially allowing an attacker to replace project binaries or other uploaded assets...

CVE-2024-12244

An issue has been discovered in access controls could allow users to view certain restricted project information even when related features are disabled in GitLab EE, affecting all versions from 17.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1...

Vulnerabilities fixed in GitLab

GitLab has fixed vulnerabilities in GitLab EE/CE versions from 11.5 to 17.9.2. The vulnerabilities include an issue where users with custom permissions can approve more membership requests than they are entitled to, which can lead to unauthorized access to restricted areas within the platform. In...

UBUNTU-CVE-2025-0652

An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only...

PT-2025-11151 · Gitlab · Gitlab Ce/Ee

Name of the Vulnerable Software and Affected Versions: GitLab EE versions 17.2 through 17.7.7 GitLab EE versions 17.8 through 17.8.5 GitLab EE versions 17.9 through 17.9.2 Description: An issue was discovered in the Google Cloud IAM integration feature, where an input validation problem could hav...

Linux Distros Unpatched Vulnerability : CVE-2021-39880

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A Denial Of Service vulnerability in the apollouploadserver Ruby gem in GitLab CE/EE all versions starting from 11.9 before 14.0.9, all versions starting from...

CVE-2025-1072

GitLab CE/EE DoS vulnerability CVE-2025-1072: A DoS can occur when importing maliciously crafted content via the Fogbugz importer. Affected versions include all releases from 7.14.1 up to but not including 17.3.7, 17.4 up to 17.4.3, and 17.5 up to 17.5.1. Remediation is provided by patches releas...

PT-2025-5901 · Gitlab · Gitlab Ce/Ee

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 7.14.1 through 17.3.7 GitLab CE/EE versions 17.4 through 17.4.4 GitLab CE/EE versions 17.5 through 17.5.2 Description: A Denial of Service DoS issue has been discovered in GitLab CE/EE. The issue could occur upon importi...

CVE-2022-1190

Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to exploit a stored XSS by abusing multi-word milestone references in issue descriptions, comments, etc...

CVE-2020-13276

User is allowed to set an email as a notification email even without verifying the new email in all previous GitLab CE/EE versions through 13.0.1...