CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2025-1754 – Missing Authentication for Critical Function in GitLab
https://notcve.org/view.php?id=CVE-2025-1754
26 Jun 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage. • https://gitlab.com/gitlab-org/gitlab/-/issues/521619 • CWE-306: Missing Authentication for Critical Function •
CVSS: 3.1EPSS: 0%CPEs: 3EXPL: 1CVE-2025-2938 – Business Logic Errors in GitLab
https://notcve.org/view.php?id=CVE-2025-2938
26 Jun 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval process resulted in unintended permission grants. • https://gitlab.com/gitlab-org/gitlab/-/issues/529006 • CWE-840: Business Logic Errors •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 1CVE-2025-3279 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2025-3279
26 Jun 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests. • https://gitlab.com/gitlab-org/gitlab/-/issues/534424 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2025-5315 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2025-5315
26 Jun 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions. • https://gitlab.com/gitlab-org/gitlab/-/issues/546282 • CWE-862: Missing Authorization •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-5846 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2025-5846
26 Jun 2025 — An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks. • https://gitlab.com/gitlab-org/gitlab/-/issues/546435 • CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 1CVE-2025-5121 – Missing Authorization in GitLab
https://notcve.org/view.php?id=CVE-2025-5121
20 Jun 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. A missing authorization check may have allowed compliance frameworks to be applied to projects outside the compliance framework's group. • https://gitlab.com/gitlab-org/gitlab/-/issues/545429 • CWE-862: Missing Authorization •
CVSS: 3.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-5982 – Insufficient Granularity of Access Control in GitLab
https://notcve.org/view.php?id=CVE-2025-5982
12 Jun 2025 — An issue has been discovered in GitLab EE affecting all versions from 12.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Under certain conditions users could bypass IP access restrictions and view sensitive information. • https://gitlab.com/gitlab-org/gitlab/-/issues/514456 • CWE-1220: Insufficient Granularity of Access Control •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2024-9512 – Time-of-check Time-of-use (TOCTOU) Race Condition in GitLab
https://notcve.org/view.php?id=CVE-2024-9512
12 Jun 2025 — An issue has been discovered in GitLab EE affecting all versions prior to 17.10.8, 17.11 prior to 17.11.4, and 18.0 prior to 18.0.2. It may have been possible for private repository to be cloned in case of race condition when a secondary node is out of sync. • https://gitlab.com/gitlab-org/gitlab/-/issues/497748 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2025-0673 – Loop with Unreachable Exit Condition ('Infinite Loop') in GitLab
https://notcve.org/view.php?id=CVE-2025-0673
12 Jun 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2, allow an attacker to trigger an infinite redirect loop, potentially leading to a denial of service condition. • https://gitlab.com/gitlab-org/gitlab/-/issues/514732 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-5195 – Authorization Bypass Through User-Controlled Key in GitLab
https://notcve.org/view.php?id=CVE-2025-5195
12 Jun 2025 — An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. It was possible for authenticated users to access arbitrary compliance frameworks, leading to unauthorized data disclosure. • https://gitlab.com/gitlab-org/gitlab/-/issues/534960 • CWE-639: Authorization Bypass Through User-Controlled Key •