CVSS: 8.0EPSS: %CPEs: 3EXPL: 1CVE-2025-12029 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2025-12029
11 Dec 2025 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious external scripts into the Swagger UI." • https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: %CPEs: 3EXPL: 1CVE-2025-12734 – Improper Encoding or Escaping of Output in GitLab
https://notcve.org/view.php?id=CVE-2025-12734
11 Dec 2025 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to leak sensitive information from specifically crafted merge request titles. • https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 6.5EPSS: %CPEs: 3EXPL: 0CVE-2025-4097 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2025-4097
11 Dec 2025 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images. • https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.7EPSS: %CPEs: 3EXPL: 1CVE-2025-8405 – Improper Encoding or Escaping of Output in GitLab
https://notcve.org/view.php?id=CVE-2025-8405
11 Dec 2025 — GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability code flow displays. • https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 4.3EPSS: %CPEs: 3EXPL: 1CVE-2025-11247 – Authorization Bypass Through User-Controlled Key in GitLab
https://notcve.org/view.php?id=CVE-2025-11247
11 Dec 2025 — GitLab has remediated an issue in GitLab EE affecting all versions from 13.2 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to disclose sensitive information from private projects by executing specifically crafted GraphQL queries. • https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.8EPSS: %CPEs: 3EXPL: 1CVE-2025-11984 – Authentication Bypass Using an Alternate Path or Channel in GitLab
https://notcve.org/view.php?id=CVE-2025-11984
11 Dec 2025 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions. • https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 7.5EPSS: %CPEs: 3EXPL: 1CVE-2025-12562 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2025-12562
11 Dec 2025 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query complexity limits. • https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.3EPSS: %CPEs: 3EXPL: 0CVE-2025-13978 – Generation of Error Message Containing Sensitive Information in GitLab
https://notcve.org/view.php?id=CVE-2025-13978
11 Dec 2025 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests. • https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.5EPSS: %CPEs: 3EXPL: 0CVE-2025-14157 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2025-14157
11 Dec 2025 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters. • https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2025-6195 – Direct Request ('Forced Browsing') in GitLab
https://notcve.org/view.php?id=CVE-2025-6195
26 Nov 2025 — GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions. • https://gitlab.com/gitlab-org/gitlab/-/issues/549937 • CWE-425: Direct Request ('Forced Browsing') •