GitLab Version Control Server and CI/CD Platform
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in GitLab.
GitLab EOL Dates
Ensure that you are using a supported version of GitLab. Here are some end of life, and end of support dates for GitLab.
| Release | EOL | End of Support | Status |
|---|---|---|---|
| 18.7 | March 19, 2026 | January 15, 2026 |
EOL This Year
GitLab 18.7 will become EOL this year, in March 2026. |
| 18.6 | February 19, 2026 | December 18, 2025 |
EOL This Year
GitLab 18.6 will become EOL this year, in February 2026. |
| 18.5 | January 15, 2026 | November 20, 2025 |
EOL This Year
GitLab 18.5 will become EOL this year, in January 2026. |
| 18.4 | December 18, 2025 | October 16, 2025 |
EOL
GitLab 18.4 became EOL in 2025 and supported ended in 2025 |
| 18.3 | November 20, 2025 | September 18, 2025 |
EOL
GitLab 18.3 became EOL in 2025 and supported ended in 2025 |
| 18.2 | October 16, 2025 | August 21, 2025 |
EOL
GitLab 18.2 became EOL in 2025 and supported ended in 2025 |
| 18.1 | September 18, 2025 | July 17, 2025 |
EOL
GitLab 18.1 became EOL in 2025 and supported ended in 2025 |
| 18.0 | August 21, 2025 | June 19, 2025 |
EOL
GitLab 18.0 became EOL in 2025 and supported ended in 2025 |
| 17.11 | July 17, 2025 | May 15, 2025 |
EOL
GitLab 17.11 became EOL in 2025 and supported ended in 2025 |
| 17.9 | May 15, 2025 | March 20, 2025 |
EOL
GitLab 17.9 became EOL in 2025 and supported ended in 2025 |
| 17.8 | April 17, 2025 | February 20, 2025 |
EOL
GitLab 17.8 became EOL in 2025 and supported ended in 2025 |
| 17.7 | March 20, 2025 | January 16, 2025 |
EOL
GitLab 17.7 became EOL in 2025 and supported ended in 2025 |
| 17.6 | February 20, 2025 | December 19, 2024 |
EOL
GitLab 17.6 became EOL in 2025 and supported ended in 2024 |
| 17.5 | January 16, 2025 | November 21, 2024 |
EOL
GitLab 17.5 became EOL in 2025 and supported ended in 2024 |
| 17.4 | December 19, 2024 | October 17, 2024 |
EOL
GitLab 17.4 became EOL in 2024 and supported ended in 2024 |
| 17.3 | November 21, 2024 | September 19, 2024 |
EOL
GitLab 17.3 became EOL in 2024 and supported ended in 2024 |
| 17.2 | October 17, 2024 | August 15, 2024 |
EOL
GitLab 17.2 became EOL in 2024 and supported ended in 2024 |
| 17.1 | September 19, 2024 | July 18, 2024 |
EOL
GitLab 17.1 became EOL in 2024 and supported ended in 2024 |
| 17.0 | August 15, 2024 | June 20, 2024 |
EOL
GitLab 17.0 became EOL in 2024 and supported ended in 2024 |
| 16.11 | July 18, 2024 | May 16, 2024 |
EOL
GitLab 16.11 became EOL in 2024 and supported ended in 2024 |
By the Year
In 2026 there have been 8 vulnerabilities in GitLab with an average score of 6.7 out of ten. Last year, in 2025 GitLab had 161 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in GitLab in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.61.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 8 | 6.68 |
| 2025 | 161 | 6.06 |
| 2024 | 147 | 6.32 |
| 2023 | 178 | 5.62 |
| 2022 | 151 | 5.74 |
| 2021 | 156 | 5.45 |
| 2020 | 235 | 6.14 |
| 2019 | 164 | 6.23 |
| 2018 | 33 | 7.06 |
It may take a day or so for new GitLab vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent GitLab Security Vulnerabilities
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2
CVE-2025-11224
7.7 - High
- January 14, 2026
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality.
XSS
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVE-2025-3950
3.5 - Low
- January 09, 2026
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.
Privacy violation
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVE-2025-9222
8.7 - High
- January 09, 2026
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.
XSS
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVE-2025-10569
6.5 - Medium
- January 09, 2026
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls.
Allocation of Resources Without Limits or Throttling
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVE-2025-11246
5.4 - Medium
- January 09, 2026
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations.
Insufficient Granularity of Access Control
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVE-2025-13772
7.1 - High
- January 09, 2026
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests.
AuthZ
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1
CVE-2025-13761
8 - High
- January 09, 2026
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.
XSS
GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1
CVE-2025-13781
6.5 - Medium
- January 09, 2026
GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations.
AuthZ
GitLab < 18.4.6 / 18.5.4 / 18.6.2 - Swagger UI External Script Injection
CVE-2025-12029
8 - High
- December 11, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious external scripts into the Swagger UI."
XSS
GitLab CE/EE Merge Request Title Leak (18.4.6, 18.5.4, 18.6.2)
CVE-2025-12734
3.5 - Low
- December 11, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HTML content into merge request titles.
Output Sanitization
GitLab CE/EE DoS via Authenticated Image Upload before 18.4.6/18.5.4/18.6.2
CVE-2025-4097
6.5 - Medium
- December 11, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images.
Allocation of Resources Without Limits or Throttling
GitLab CE/EE Authenticated XSS 17.1-18.6.2 Unauthorized Actions
CVE-2025-8405
7.7 - High
- December 11, 2025
GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability code flow displays.
Output Sanitization
GitLab EE: Authenticated GQL Disclosure (v13.218.6.1)
CVE-2025-11247
4.3 - Medium
- December 11, 2025
GitLab has remediated an issue in GitLab EE affecting all versions from 13.2 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to disclose sensitive information from private projects by executing specifically crafted GraphQL queries.
Insecure Direct Object Reference / IDOR
GitLab WebAuthn 2FA Bypass via Session Manipulation v13-18.4.5/18.5-18.5.3/18.6-18.6.1
CVE-2025-11984
6.8 - Medium
- December 11, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions.
Authentication Bypass Using an Alternate Path or Channel
DOS via GraphQL Complexity Bypass in GitLab CE/EE 11.10-18.6 pre-18.4.6
CVE-2025-12562
7.5 - High
- December 11, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query complexity limits.
Allocation of Resources Without Limits or Throttling
GitLab CE/EE Wiki Auth Escalation 18.418.6 (pre18.4.6/18.5.4/18.6.2)
CVE-2025-12716
8.7 - High
- December 11, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by creating wiki pages with malicious content.
XSS
GitLab API Private Project Name Disclosure (v17.518.6.2)
CVE-2025-13978
4.3 - Medium
- December 11, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests.
Generation of Error Message Containing Sensitive Information
GitLab CE/EE DoS via API Calls in v6.318.x fixed in 18.4.6, 18.5.4, 18.6.2
CVE-2025-14157
6.5 - Medium
- December 11, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters.
Allocation of Resources Without Limits or Throttling
GitLab CE/EE < 18.4.5 Credential Leak via Authenticated Access (CVE-2024-9183)
CVE-2024-9183
7.7 - High
- December 05, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 prior to 18.4.5, 18.5 prior to 18.5.3, and 18.6 prior to 18.6.1 that could have allowed an authenticated user to obtain credentials from higher-privileged users and perform actions in their context under specific conditions.
TOCTTOU
Info Disclosure via Security Reports in GitLab EE pre-18.4.5/18.5.3/18.6.1
CVE-2025-6195
4.3 - Medium
- November 26, 2025
GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions.
forced browsing
GitLab CE/EE DoS via HTTP response (auth) pre-18.4.5/18.5.3/18.6.1
CVE-2025-7449
6.5 - Medium
- November 26, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing.
Allocation of Resources Without Limits or Throttling
GitLab CE/EE Denial of Service via Malicious JSON (Unauthenticated Exploit)
CVE-2025-12571
7.5 - High
- November 26, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON payloads.
Allocation of Resources Without Limits or Throttling
GitLab CE/EE Unauth Org Join via Header Manipulation (pre18.6.1)
CVE-2025-12653
6.5 - Medium
- November 26, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests.
Authentication Bypass by Spoofing
GitLab CE/EE Log Auth Token Leak (v13.2-18.4.5, 18.5-18.5.3, 18.6-18.6.1)
CVE-2025-13611
2 - Low
- November 26, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions.
Insertion of Sensitive Information into Log File
GitLab GraphQL API: Unauthorized View of CI/CD Vars (13.7-18.3.3, 18.4-18.4.1)
CVE-2025-9825
5 - Medium
- November 21, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API.
AuthZ
GitLab CE/EE: Authenticated DoS via Nested Markdown (pre18.4.4)
CVE-2025-12983
3.5 - Low
- November 15, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to cause a denial of service condition by submitting specially crafted markdown content with nested formatting patterns.
Stack Exhaustion
GitLab GraphQL WebSocket info leak CVE-2025-2615 (18.3.6, 18.4.4, 18.5.2)
CVE-2025-2615
4.3 - Medium
- November 15, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections.
Insertion of Sensitive Information Into Sent Data
GitLab EE Info Leak via MR Comment Prompts (17.8-<18.3.6, 18.4-<18.4.4, 18.5-<18.5.2)
CVE-2025-6945
3.5 - Low
- November 15, 2025
GitLab has remediated an issue in GitLab EE affecting all versions from 17.8 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to leak sensitive information from confidential issues by injecting hidden prompts into merge request comments.
Command Injection
GitLab CE/EE Reporter Privilege Leak via Packages API v13.2-18.5.1
CVE-2025-6171
5.3 - Medium
- November 15, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even when repository access was disabled.
AuthZ
GitLab CE/EE Branch Name Disclosure (17.618.5.x, pre18.3.6, pre18.4.4, pre18.5.2)
CVE-2025-7000
4.3 - Medium
- November 15, 2025
An issue has been discovered in GitLab CE/EE affecting all versions from 17.6 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that, under specific conditions, could have allowed unauthorized users to view confidential branch names by accessing project issues with related merge requests.
Insertion of Sensitive Information Into Sent Data
GitLab CE/EE Auth Bypass via OAuth (17.918.5.x)
CVE-2025-7736
3.1 - Low
- November 15, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to bypass access control restrictions and view GitLab Pages content intended only for project members by authenticating through OAuth providers.
AuthZ
GitLab EE Before 18.3.6/18.4.4/18.5.2: Remote Removal of Duo Flows
CVE-2025-11865
4.3 - Medium
- November 15, 2025
An issue has been discovered in GitLab EE affecting all versions from 18.1 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that, under certain circumstances, could have allowed an attacker to remove Duo flows of another user.
AuthZ
GitLab EE CSRF token leak via repo refs (18.4<18.4.4,18.5<18.5.2)
CVE-2025-11990
3.1 - Low
- November 15, 2025
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses.
Hex Encoding
Auth Hijack of Project Runners in GitLab EE <18.3.5/18.4.3/18.5.1
CVE-2025-11702
8.5 - High
- October 29, 2025
GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects.
AuthZ
GitLab EE 18.4/18.5: Authenticated users get unauthorized project access via approval workflow
CVE-2025-6601
2.7 - Low
- October 27, 2025
GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.3, and 18.5 before 18.5.1 that under certain conditions could have allowed authenticated users to gain unauthorized project access by exploiting the access request approval workflow.
Business Logic Errors
GitLab CE/EE DoS via crafted payloads before 18.5.1
CVE-2025-10497
7.5 - High
- October 27, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending specially crafted payloads.
Allocation of Resources Without Limits or Throttling
GitLab EE V10.6-18.5.0 Unauthorized Pipeline Exec (CVE-2025-11971)
CVE-2025-11971
6.5 - Medium
- October 27, 2025
GitLab has remediated an issue in GitLab EE affecting all versions from 10.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker to trigger unauthorized pipeline executions by manipulating commits.
AuthZ
GitLab Denial of Service via Large File Upload - Fixed in 18.3.5, 18.4.3, 18.5.1
CVE-2025-11974
6.5 - Medium
- October 27, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.7 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to create a denial of service condition by uploading large files to specific API endpoints.
Allocation of Resources Without Limits or Throttling
GitLab CE/EE <18.3.5/18.4.3/18.5.1: Unauth GraphQL DDOS via crafted JSON
CVE-2025-11447
7.5 - High
- October 27, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to cause a denial of service condition by sending GraphQL requests with crafted JSON payloads.
Allocation of Resources Without Limits or Throttling
GitLab EE: Unauthorized Quick Actions via Malicious Commands v17.6.0-18.5.1
CVE-2025-11989
3.7 - Low
- October 26, 2025
GitLab has remediated an issue in GitLab EE affecting all versions from 17.6.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker to execute unauthorized quick actions by including malicious commands in specific descriptions.
AuthZ
GitLab GraphQL Large-Blob Query DoS (CE/EE 13.1218.4.x)
CVE-2025-10004
7.5 - High
- October 09, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs.
Allocation of Resources Without Limits or Throttling
GitLab EE 18.318.4.2: Authenticated Read-Only API Tokens Exploit GraphQL
CVE-2025-11340
7.7 - High
- October 09, 2025
GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations.
AuthZ
GitLab CE/EE 18.4.2 Authenticated DoS via Malicious Webhook
CVE-2025-2934
4.3 - Medium
- October 09, 2025
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2 that could have allowed an authenticated attacker to create a denial of service condition by configuring malicious webhook endpoints that send crafted HTTP responses.
Allocation of Resources Without Limits or Throttling
GitLab Denial of Service via GraphQL Complexity Limits (v<18.2.7/18.3.3/18.4.1)
CVE-2025-8014
7.5 - High
- September 27, 2025
Denial of Service issue in GraphQL endpoints in Gitlab EE/CE affecting all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 allows unauthenticated users to potentially bypass query complexity limits leading to resource exhaustion and service disruption.
Allocation of Resources Without Limits or Throttling
GitLab CE/EE 17.218.4 GraphQL CPU DoS Vulnerability
CVE-2025-11042
4.3 - Medium
- September 26, 2025
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while using specific GraphQL queries.
Allocation of Resources Without Limits or Throttling
Auth Bypass Issue Access in GitLab CE/EE via Duplicate Project Names (v<18.2.7)
CVE-2025-5069
3.5 - Low
- September 26, 2025
An issue has been discovered in GitLab CE/EE affecting all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to gain unauthorized access to confidential issues by creating a project with an identical name to the victim's project.
Incorrect Ownership Assignment
GitLab string conversion performance drop pre 18.2.7/18.3.3/18.4.1
CVE-2025-10868
3.5 - Low
- September 26, 2025
An issue has been discovered in GitLab CE/EE affecting all versions from 17.4 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 where certain string conversion methods exhibit performance degradation with large inputs.
Business Logic Errors
GitLab EE Privilege Escalation (EE) 16.618.2.7, 18.318.3.3, 18.418.4.1
CVE-2025-7691
6.5 - Medium
- September 26, 2025
A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 that could have allowed a developer with specific group management permissions to escalate their privileges and obtain unauthorized access to additional system capabilities.
Privilege Defined With Unsafe Actions
GitLab CE/EE <18.2.7, <18.3.3, <18.4.1 - XSS/Code Injection Leads to Takeover
CVE-2025-9642
8.7 - High
- September 26, 2025
An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could allow an attacker to inject malicious content that may lead to account takeover.
XSS
GitLab Guest access to sensitive virtual registry info (CE/EE 18.4.1)
CVE-2025-9958
7.7 - High
- September 26, 2025
An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that could have allowed Guest users to access sensitive information stored in virtual registry configurations.
Insertion of Sensitive Information Into Sent Data
