CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2025-3396 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2025-3396
10 Jul 2025 — An issue has been discovered in GitLab EE affecting all versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that could have allowed authenticated project owners to bypass group-level forking restrictions by manipulating API requests. • https://gitlab.com/gitlab-org/gitlab/-/issues/534636 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2025-1754 – Missing Authentication for Critical Function in GitLab
https://notcve.org/view.php?id=CVE-2025-1754
26 Jun 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage. • https://gitlab.com/gitlab-org/gitlab/-/issues/521619 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 1CVE-2025-3279 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2025-3279
26 Jun 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests. • https://gitlab.com/gitlab-org/gitlab/-/issues/534424 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2025-5315 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2025-5315
26 Jun 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions. • https://gitlab.com/gitlab-org/gitlab/-/issues/546282 • CWE-862: Missing Authorization •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-5846 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2025-5846
26 Jun 2025 — An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks. • https://gitlab.com/gitlab-org/gitlab/-/issues/546435 • CWE-862: Missing Authorization •
CVSS: 3.1EPSS: 0%CPEs: 3EXPL: 1CVE-2023-5600 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2023-5600
20 Jun 2025 — An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked through the service-desk custom email template. • https://gitlab.com/gitlab-org/gitlab/-/issues/428268 • CWE-862: Missing Authorization •
CVSS: 9.4EPSS: 0%CPEs: 3EXPL: 1CVE-2024-4994 – Cross-Site Request Forgery (CSRF) in GitLab
https://notcve.org/view.php?id=CVE-2024-4994
20 Jun 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations. • https://gitlab.com/gitlab-org/gitlab/-/issues/462012 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 1CVE-2024-4025 – Inefficient Regular Expression Complexity in GitLab
https://notcve.org/view.php?id=CVE-2024-4025
20 Jun 2025 — A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page. • https://gitlab.com/gitlab-org/gitlab/-/issues/457474 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 1CVE-2025-2443 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2025-2443
20 Jun 2025 — An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user's browser under specific conditions, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1. • https://gitlab.com/gitlab-org/gitlab/-/issues/525363 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-7586 – Insertion of Sensitive Information into Log File in GitLab
https://notcve.org/view.php?id=CVE-2024-7586
20 Jun 2025 — An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials. • https://gitlab.com/gitlab-org/gitlab/-/issues/463866 • CWE-532: Insertion of Sensitive Information into Log File •