CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2026-1752 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2026-1752
08 Apr 2026 — GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API. • https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 1CVE-2026-2745 – Authentication Bypass Using an Alternate Path or Channel in GitLab
https://notcve.org/view.php?id=CVE-2026-2745
25 Mar 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts due to inconsistent input validation in the authentication process. • https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2026-2726 – Incorrect Authorization in GitLab
https://notcve.org/view.php?id=CVE-2026-2726
25 Mar 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to perform unauthorized actions on merge requests in other projects due to improper access control during cross-repository operations. • https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2026-1182 – Improper Removal of Sensitive Information Before Storage or Transfer in GitLab
https://notcve.org/view.php?id=CVE-2026-1182
12 Mar 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.14 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to gain unauthorized access to confidential issue title created in public projects under certain circumstances. • https://gitlab.com/gitlab-org/gitlab/-/work_items/586613 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2025-12576 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2025-12576
11 Mar 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that under certain conditions could have allowed an authenticated user to cause a denial of service due to improper handling of webhook response data. • https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2025-13929 – Allocation of Resources Without Limits or Throttling in GitLab
https://notcve.org/view.php?id=CVE-2025-13929
11 Mar 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by issuing specially crafted requests to repository archive endpoints under certain conditions. • https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 1CVE-2026-1090 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2026-1090
11 Mar 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in a browser due to improper sanitization of placeholder content in markdown processing. • https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.1EPSS: 0%CPEs: 3EXPL: 1CVE-2026-1230 – Use of Incorrectly-Resolved Name or Reference in GitLab
https://notcve.org/view.php?id=CVE-2026-1230
11 Mar 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause repository downloads to contain different code than displayed in the web interface due to incorrect validation of branch references under certain circumstances. • https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2026-3848 – Improper Neutralization of CRLF Sequences ('CRLF Injection') in GitLab
https://notcve.org/view.php?id=CVE-2026-3848
11 Mar 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality. • https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 1CVE-2025-14511 – Improper Validation of Specified Quantity in Input in GitLab
https://notcve.org/view.php?id=CVE-2025-14511
25 Feb 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event endpoint under certain conditions. • https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-released • CWE-1284: Improper Validation of Specified Quantity in Input •