Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-12704 (GCVE-0-2025-12704)
Vulnerability from cvelistv5 – Published: 2026-03-11 16:05 – Updated: 2026-03-12 16:20
VLAI
EPSS
Title
Missing Authorization in GitLab
Summary
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://hackerone.com/reports/3389825 | technical-descriptionexploitpermissions-required |
| https://gitlab.com/gitlab-org/gitlab/-/work_items… | |
| https://about.gitlab.com/releases/2026/03/11/patc… |
Impacted products
Credits
Thanks [mateuszek](https://hackerone.com/mateuszek) for reporting this vulnerability through our HackerOne bug bounty program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T15:42:44.887645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T16:20:13.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "18.7.6",
"status": "affected",
"version": "18.2",
"versionType": "semver"
},
{
"lessThan": "18.8.6",
"status": "affected",
"version": "18.8",
"versionType": "semver"
},
{
"lessThan": "18.9.2",
"status": "affected",
"version": "18.9",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanks [mateuszek](https://hackerone.com/mateuszek) for reporting this vulnerability through our HackerOne bug bounty program"
}
],
"descriptions": [
{
"lang": "en",
"value": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T16:05:55.759Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "HackerOne Bug Bounty Report #3389825",
"tags": [
"technical-description",
"exploit",
"permissions-required"
],
"url": "https://hackerone.com/reports/3389825"
},
{
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/579534"
},
{
"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above."
}
],
"title": "Missing Authorization in GitLab"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2025-12704",
"datePublished": "2026-03-11T16:05:55.759Z",
"dateReserved": "2025-11-04T18:34:22.289Z",
"dateUpdated": "2026-03-12T16:20:13.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-12704",
"date": "2026-06-17",
"epss": "0.00215",
"percentile": "0.1174"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-12704\",\"sourceIdentifier\":\"cve@gitlab.com\",\"published\":\"2026-03-11T16:16:18.570\",\"lastModified\":\"2026-03-17T20:59:11.730\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.\"},{\"lang\":\"es\",\"value\":\"GitLab ha remediado un problema en GitLab EE que afecta a todas las versiones desde la 18.2 anteriores a la 18.7.6, la 18.8 anteriores a la 18.8.6 y la 18.9 anteriores a la 18.9.2 que podr\u00eda haber permitido a un usuario autenticado acceder a datos del Registro Virtual en grupos de los que no son miembros debido a una autorizaci\u00f3n incorrecta bajo ciertas condiciones.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"cve@gitlab.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"18.2.0\",\"versionEndExcluding\":\"18.7.6\",\"matchCriteriaId\":\"61412438-52EE-435B-A300-7394252AB2E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"18.2.0\",\"versionEndExcluding\":\"18.7.6\",\"matchCriteriaId\":\"87885DCB-FAAA-4D36-B81F-D95F6A366606\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"18.8.0\",\"versionEndExcluding\":\"18.8.6\",\"matchCriteriaId\":\"B703CB01-7F6D-4D6E-AE88-CF2F8012CA27\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"18.8.0\",\"versionEndExcluding\":\"18.8.6\",\"matchCriteriaId\":\"2B1F834B-A628-4894-A531-1A2A60DD58D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"18.9.0\",\"versionEndExcluding\":\"18.9.2\",\"matchCriteriaId\":\"44EAE9A6-5ED9-42F6-9BBD-0E2F8072F0D9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"18.9.0\",\"versionEndExcluding\":\"18.9.2\",\"matchCriteriaId\":\"12A2DEC0-C471-4C98-960C-405209403AB9\"}]}]}],\"references\":[{\"url\":\"https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://gitlab.com/gitlab-org/gitlab/-/work_items/579534\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://hackerone.com/reports/3389825\",\"source\":\"cve@gitlab.com\",\"tags\":[\"Permissions Required\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-12704\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-12T15:42:44.887645Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-12T15:42:50.542Z\"}}], \"cna\": {\"title\": \"Missing Authorization in GitLab\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Thanks [mateuszek](https://hackerone.com/mateuszek) for reporting this vulnerability through our HackerOne bug bounty program\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*\"], \"repo\": \"git://git@gitlab.com:gitlab-org/gitlab.git\", \"vendor\": \"GitLab\", \"product\": \"GitLab\", \"versions\": [{\"status\": \"affected\", \"version\": \"18.2\", \"lessThan\": \"18.7.6\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"18.8\", \"lessThan\": \"18.8.6\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"18.9\", \"lessThan\": \"18.9.2\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above.\"}], \"references\": [{\"url\": \"https://hackerone.com/reports/3389825\", \"name\": \"HackerOne Bug Bounty Report #3389825\", \"tags\": [\"technical-description\", \"exploit\", \"permissions-required\"]}, {\"url\": \"https://gitlab.com/gitlab-org/gitlab/-/work_items/579534\"}, {\"url\": \"https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"ceab7361-8a18-47b1-92ba-4d7d25f6715a\", \"shortName\": \"GitLab\", \"dateUpdated\": \"2026-03-11T16:05:55.759Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-12704\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-12T16:20:13.909Z\", \"dateReserved\": \"2025-11-04T18:34:22.289Z\", \"assignerOrgId\": \"ceab7361-8a18-47b1-92ba-4d7d25f6715a\", \"datePublished\": \"2026-03-11T16:05:55.759Z\", \"assignerShortName\": \"GitLab\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
bit-gitlab-2025-12704
Vulnerability from bitnami_vulndb
Published
2026-03-13 09:30
Modified
2026-03-18 09:23
Summary
Missing Authorization in GitLab
Details
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "gitlab",
"purl": "pkg:bitnami/gitlab"
},
"ranges": [
{
"events": [
{
"introduced": "18.2.0"
},
{
"fixed": "18.7.6"
},
{
"introduced": "18.8.0"
},
{
"fixed": "18.8.6"
},
{
"introduced": "18.9.0"
},
{
"fixed": "18.9.2"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2025-12704"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*"
],
"severity": "Medium"
},
"details": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.",
"id": "BIT-gitlab-2025-12704",
"modified": "2026-03-18T09:23:06.258Z",
"published": "2026-03-13T09:30:55.187Z",
"references": [
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/579534"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3389825"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12704"
}
],
"schema_version": "1.6.2",
"summary": "Missing Authorization in GitLab"
}
CERTFR-2026-AVI-0276
Vulnerability from certfr_avis - Published: 2026-03-12 - Updated: 2026-03-12
De multiples vulnérabilités ont été découvertes dans GitLab. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| GitLab | N/A | GitLab Community Edition (CE) et Gitlab Enterprise Edition (EE) versions antérieures à 18.7.6 | ||
| GitLab | N/A | GitLab Community Edition (CE) et Gitlab Enterprise Edition (EE) versions 18.8.x antérieures à 18.8.6 | ||
| GitLab | N/A | GitLab Community Edition (CE) et Gitlab Enterprise Edition (EE) versions 18.9.x antérieures à 18.9.2 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "GitLab Community Edition (CE) et Gitlab Enterprise Edition (EE) versions ant\u00e9rieures \u00e0 18.7.6",
"product": {
"name": "N/A",
"vendor": {
"name": "GitLab",
"scada": false
}
}
},
{
"description": "GitLab Community Edition (CE) et Gitlab Enterprise Edition (EE) versions 18.8.x ant\u00e9rieures \u00e0 18.8.6",
"product": {
"name": "N/A",
"vendor": {
"name": "GitLab",
"scada": false
}
}
},
{
"description": "GitLab Community Edition (CE) et Gitlab Enterprise Edition (EE) versions 18.9.x ant\u00e9rieures \u00e0 18.9.2",
"product": {
"name": "N/A",
"vendor": {
"name": "GitLab",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-12704",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12704"
},
{
"name": "CVE-2025-14513",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14513"
},
{
"name": "CVE-2026-0602",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0602"
},
{
"name": "CVE-2026-1732",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1732"
},
{
"name": "CVE-2025-12576",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12576"
},
{
"name": "CVE-2025-13929",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13929"
},
{
"name": "CVE-2025-12555",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12555"
},
{
"name": "CVE-2026-3848",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3848"
},
{
"name": "CVE-2026-1090",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1090"
},
{
"name": "CVE-2026-1663",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1663"
},
{
"name": "CVE-2025-12697",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12697"
},
{
"name": "CVE-2026-1069",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1069"
},
{
"name": "CVE-2025-13690",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13690"
},
{
"name": "CVE-2026-1230",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1230"
}
],
"initial_release_date": "2026-03-12T00:00:00",
"last_revision_date": "2026-03-12T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0276",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-03-12T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans GitLab. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans GitLab",
"vendor_advisories": [
{
"published_at": "2026-03-11",
"title": "Bulletin de s\u00e9curit\u00e9 GitLab",
"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"
}
]
}
FKIE_CVE-2025-12704
Vulnerability from fkie_nvd - Published: 2026-03-11 16:16 - Updated: 2026-06-17 08:32
Severity
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.
References
| URL | Tags | ||
|---|---|---|---|
| cve@gitlab.com | https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/ | Release Notes, Vendor Advisory | |
| cve@gitlab.com | https://gitlab.com/gitlab-org/gitlab/-/work_items/579534 | Broken Link | |
| cve@gitlab.com | https://hackerone.com/reports/3389825 | Permissions Required |
{
"affected": [
{
"affectedData": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "18.7.6",
"status": "affected",
"version": "18.2",
"versionType": "semver"
},
{
"lessThan": "18.8.6",
"status": "affected",
"version": "18.8",
"versionType": "semver"
},
{
"lessThan": "18.9.2",
"status": "affected",
"version": "18.9",
"versionType": "semver"
}
]
}
],
"source": "cve@gitlab.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
"matchCriteriaId": "61412438-52EE-435B-A300-7394252AB2E5",
"versionEndExcluding": "18.7.6",
"versionStartIncluding": "18.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "87885DCB-FAAA-4D36-B81F-D95F6A366606",
"versionEndExcluding": "18.7.6",
"versionStartIncluding": "18.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
"matchCriteriaId": "B703CB01-7F6D-4D6E-AE88-CF2F8012CA27",
"versionEndExcluding": "18.8.6",
"versionStartIncluding": "18.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "2B1F834B-A628-4894-A531-1A2A60DD58D7",
"versionEndExcluding": "18.8.6",
"versionStartIncluding": "18.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
"matchCriteriaId": "44EAE9A6-5ED9-42F6-9BBD-0E2F8072F0D9",
"versionEndExcluding": "18.9.2",
"versionStartIncluding": "18.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "12A2DEC0-C471-4C98-960C-405209403AB9",
"versionEndExcluding": "18.9.2",
"versionStartIncluding": "18.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions."
},
{
"lang": "es",
"value": "GitLab ha remediado un problema en GitLab EE que afecta a todas las versiones desde la 18.2 anteriores a la 18.7.6, la 18.8 anteriores a la 18.8.6 y la 18.9 anteriores a la 18.9.2 que podr\u00eda haber permitido a un usuario autenticado acceder a datos del Registro Virtual en grupos de los que no son miembros debido a una autorizaci\u00f3n incorrecta bajo ciertas condiciones."
}
],
"id": "CVE-2025-12704",
"lastModified": "2026-06-17T08:32:49.433",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "cve@gitlab.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2025-12704",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T15:42:44.887645Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-03-11T16:16:18.570",
"references": [
{
"source": "cve@gitlab.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"
},
{
"source": "cve@gitlab.com",
"tags": [
"Broken Link"
],
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/579534"
},
{
"source": "cve@gitlab.com",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/3389825"
}
],
"sourceIdentifier": "cve@gitlab.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "cve@gitlab.com",
"type": "Secondary"
}
]
}
GHSA-5PRC-F4C3-QJPV
Vulnerability from github – Published: 2026-03-11 18:30 – Updated: 2026-03-11 18:30
VLAI
Details
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.
Severity
{
"affected": [],
"aliases": [
"CVE-2025-12704"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T16:16:18Z",
"severity": "LOW"
},
"details": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.",
"id": "GHSA-5prc-f4c3-qjpv",
"modified": "2026-03-11T18:30:32Z",
"published": "2026-03-11T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12704"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3389825"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/579534"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
NCSC-2026-0093
Vulnerability from csaf_ncscnl - Published: 2026-03-12 14:42 - Updated: 2026-03-12 14:42Summary
Kwetsbaarheden verholpen in GitLab
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: GitLab heeft kwetsbaarheden verholpen in versies 18.9.2, 18.8.6 en 18.7.6
Interpretaties: De kwetsbaarheden omvatten verschillende problemen, waaronder onjuiste autorisatiecontroles die geauthenticeerde gebruikers in staat stelden om toegang te krijgen tot gevoelige gegevens, zoals metadata van private repositories, en het mogelijk maken van denial-of-service situaties door onjuiste invoervalidatie. Specifieke kwetsbaarheden betroffen de CI/CD-pijplijn, webhook-verwerking, en de importfunctionaliteit, waarbij ongepaste toegang tot API-gegevens en projectmetadata kon optreden. De kwetsbaarheden beïnvloeden de vertrouwelijkheid en beschikbaarheid van gegevens binnen GitLab.
Oplossingen: GitLab heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-116: Improper Encoding or Escaping of Output
CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer
CWE-288: Authentication Bypass Using an Alternate Path or Channel
CWE-674: Uncontrolled Recursion
CWE-706: Use of Incorrectly-Resolved Name or Reference
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization
CWE-1284: Improper Validation of Specified Quantity in Input
GitLab addressed a security vulnerability in versions 8.11 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2 that allowed authenticated users to perform unintended internal requests via proxy environments due to improper input validation in the import feature.
5.0 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab addressed a security flaw in versions 15.1 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2 that allowed authenticated users to access previous pipeline job data on projects with repository and CI/CD disabled due to improper authorization checks.
4.3 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab addressed a denial of service vulnerability affecting versions 9.3 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2, caused by improper handling of webhook response data.
6.5 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab addressed a security vulnerability in versions 15.5 through prior to 18.9.2 that allowed authenticated users with maintainer permissions to potentially access Datadog API credentials.
CWE-116 - Improper Encoding or Escaping of OutputAffected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab addressed a security vulnerability in specific GitLab EE versions that permitted authenticated users to improperly access Virtual Registry data in unauthorized groups due to flawed authorization controls.
CWE-862 - Missing AuthorizationAffected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab addressed a denial of service vulnerability affecting versions 16.11 through prior to 18.9.2, caused by improper input validation on webhook custom header names for authenticated users.
6.5 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab addressed a denial of service vulnerability affecting versions 10.0 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2, exploitable via specially crafted requests to repository archive endpoints by unauthenticated users.
7.5 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab addressed a denial of service vulnerability caused by improper input validation in the protected branches API affecting versions 16.11 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2.
7.5 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab addressed a vulnerability in versions 15.6 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2 that allowed authenticated users to access metadata from private content due to improper snippet rendering filtering.
4.3 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab versions 18.9 to before 18.9.2 contained a denial of service vulnerability due to uncontrolled recursion in GraphQL requests exploitable by unauthenticated users.
7.5 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab addressed a security vulnerability in versions 10.6 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2 that allowed authenticated users to inject JavaScript via markdown placeholders when the `markdown_placeholders` feature flag was enabled.
8.7 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab addressed a security vulnerability in versions 8.14 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2 that allowed authenticated users to access confidential issue titles in public projects without proper authorization.
4.3 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab addressed a vulnerability in versions prior to 18.7.6, 18.8.6, and 18.9.2 that allowed authenticated users to manipulate repository downloads to display code differing from the web interface by exploiting improper branch reference validation.
4.1 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab addressed an authorization validation flaw in versions 14.4 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2, where authenticated users with group import permissions could improperly create labels in private projects.
4.3 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
GitLab addressed a vulnerability in versions 12.6 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2 that allowed authenticated users to access confidential issue titles due to improper filtering.
4.3 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
GitLab / GitLab
|
vers:unknown/* |
References
16 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "GitLab heeft kwetsbaarheden verholpen in versies 18.9.2, 18.8.6 en 18.7.6",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden omvatten verschillende problemen, waaronder onjuiste autorisatiecontroles die geauthenticeerde gebruikers in staat stelden om toegang te krijgen tot gevoelige gegevens, zoals metadata van private repositories, en het mogelijk maken van denial-of-service situaties door onjuiste invoervalidatie. Specifieke kwetsbaarheden betroffen de CI/CD-pijplijn, webhook-verwerking, en de importfunctionaliteit, waarbij ongepaste toegang tot API-gegevens en projectmetadata kon optreden. De kwetsbaarheden be\u00efnvloeden de vertrouwelijkheid en beschikbaarheid van gegevens binnen GitLab.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "GitLab heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"title": "CWE-93"
},
{
"category": "general",
"text": "Improper Encoding or Escaping of Output",
"title": "CWE-116"
},
{
"category": "general",
"text": "Improper Removal of Sensitive Information Before Storage or Transfer",
"title": "CWE-212"
},
{
"category": "general",
"text": "Authentication Bypass Using an Alternate Path or Channel",
"title": "CWE-288"
},
{
"category": "general",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "general",
"text": "Use of Incorrectly-Resolved Name or Reference",
"title": "CWE-706"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "Improper Validation of Specified Quantity in Input",
"title": "CWE-1284"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"
}
],
"title": "Kwetsbaarheden verholpen in GitLab",
"tracking": {
"current_release_date": "2026-03-12T14:42:46.936248Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2026-0093",
"initial_release_date": "2026-03-12T14:42:46.936248Z",
"revision_history": [
{
"date": "2026-03-12T14:42:46.936248Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "GitLab"
}
],
"category": "vendor",
"name": "GitLab"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-3848",
"cwe": {
"id": "CWE-93",
"name": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"title": "CWE-93"
},
{
"category": "description",
"text": "GitLab addressed a security vulnerability in versions 8.11 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2 that allowed authenticated users to perform unintended internal requests via proxy environments due to improper input validation in the import feature.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-3848 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-3848.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-3848"
},
{
"cve": "CVE-2025-12555",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"notes": [
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "description",
"text": "GitLab addressed a security flaw in versions 15.1 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2 that allowed authenticated users to access previous pipeline job data on projects with repository and CI/CD disabled due to improper authorization checks.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-12555 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-12555.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-12555"
},
{
"cve": "CVE-2025-12576",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "GitLab addressed a denial of service vulnerability affecting versions 9.3 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2, caused by improper handling of webhook response data.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-12576 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-12576.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-12576"
},
{
"cve": "CVE-2025-12697",
"cwe": {
"id": "CWE-116",
"name": "Improper Encoding or Escaping of Output"
},
"notes": [
{
"category": "other",
"text": "Improper Encoding or Escaping of Output",
"title": "CWE-116"
},
{
"category": "description",
"text": "GitLab addressed a security vulnerability in versions 15.5 through prior to 18.9.2 that allowed authenticated users with maintainer permissions to potentially access Datadog API credentials.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-12697 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-12697.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-12697"
},
{
"cve": "CVE-2025-12704",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "description",
"text": "GitLab addressed a security vulnerability in specific GitLab EE versions that permitted authenticated users to improperly access Virtual Registry data in unauthorized groups due to flawed authorization controls.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-12704 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-12704.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-12704"
},
{
"cve": "CVE-2025-13690",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "GitLab addressed a denial of service vulnerability affecting versions 16.11 through prior to 18.9.2, caused by improper input validation on webhook custom header names for authenticated users.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-13690 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-13690.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-13690"
},
{
"cve": "CVE-2025-13929",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "GitLab addressed a denial of service vulnerability affecting versions 10.0 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2, exploitable via specially crafted requests to repository archive endpoints by unauthenticated users.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-13929 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-13929.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-13929"
},
{
"cve": "CVE-2025-14513",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"notes": [
{
"category": "other",
"text": "Improper Validation of Specified Quantity in Input",
"title": "CWE-1284"
},
{
"category": "description",
"text": "GitLab addressed a denial of service vulnerability caused by improper input validation in the protected branches API affecting versions 16.11 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-14513 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-14513.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-14513"
},
{
"cve": "CVE-2026-0602",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"notes": [
{
"category": "other",
"text": "Authentication Bypass Using an Alternate Path or Channel",
"title": "CWE-288"
},
{
"category": "description",
"text": "GitLab addressed a vulnerability in versions 15.6 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2 that allowed authenticated users to access metadata from private content due to improper snippet rendering filtering.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-0602 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-0602.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-0602"
},
{
"cve": "CVE-2026-1069",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "description",
"text": "GitLab versions 18.9 to before 18.9.2 contained a denial of service vulnerability due to uncontrolled recursion in GraphQL requests exploitable by unauthenticated users.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-1069 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-1069.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-1069"
},
{
"cve": "CVE-2026-1090",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "GitLab addressed a security vulnerability in versions 10.6 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2 that allowed authenticated users to inject JavaScript via markdown placeholders when the `markdown_placeholders` feature flag was enabled.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-1090 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-1090.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-1090"
},
{
"cve": "CVE-2026-1182",
"cwe": {
"id": "CWE-212",
"name": "Improper Removal of Sensitive Information Before Storage or Transfer"
},
"notes": [
{
"category": "other",
"text": "Improper Removal of Sensitive Information Before Storage or Transfer",
"title": "CWE-212"
},
{
"category": "description",
"text": "GitLab addressed a security vulnerability in versions 8.14 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2 that allowed authenticated users to access confidential issue titles in public projects without proper authorization.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-1182 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-1182.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-1182"
},
{
"cve": "CVE-2026-1230",
"cwe": {
"id": "CWE-706",
"name": "Use of Incorrectly-Resolved Name or Reference"
},
"notes": [
{
"category": "other",
"text": "Use of Incorrectly-Resolved Name or Reference",
"title": "CWE-706"
},
{
"category": "description",
"text": "GitLab addressed a vulnerability in versions prior to 18.7.6, 18.8.6, and 18.9.2 that allowed authenticated users to manipulate repository downloads to display code differing from the web interface by exploiting improper branch reference validation.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-1230 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-1230.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-1230"
},
{
"cve": "CVE-2026-1663",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "description",
"text": "GitLab addressed an authorization validation flaw in versions 14.4 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2, where authenticated users with group import permissions could improperly create labels in private projects.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-1663 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-1663.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-1663"
},
{
"cve": "CVE-2026-1732",
"cwe": {
"id": "CWE-212",
"name": "Improper Removal of Sensitive Information Before Storage or Transfer"
},
"notes": [
{
"category": "other",
"text": "Improper Removal of Sensitive Information Before Storage or Transfer",
"title": "CWE-212"
},
{
"category": "description",
"text": "GitLab addressed a vulnerability in versions 12.6 to before 18.7.6, 18.8 to before 18.8.6, and 18.9 to before 18.9.2 that allowed authenticated users to access confidential issue titles due to improper filtering.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-1732 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-1732.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2026-1732"
}
]
}
WID-SEC-W-2026-0697
Vulnerability from csaf_certbund - Published: 2026-03-11 23:00 - Updated: 2026-03-11 23:00Summary
GitLab: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: GitLab ist eine Webanwendung zur Versionsverwaltung für Softwareprojekte auf Basis von git.
Angriff: Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um Dateien zu manipulieren, vertrauliche Informationen offenzulegen, Cross-Site-Scripting-Angriffe zu starten oder einen Denial-of-Service-Zustand zu verursachen.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
Affected products
Known affected
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source GitLab <18.7.6
Open Source / GitLab
|
<18.7.6 | ||
|
Open Source GitLab <18.9.2
Open Source / GitLab
|
<18.9.2 | ||
|
Open Source GitLab <18.8.6
Open Source / GitLab
|
<18.8.6 |
References
3 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "GitLab ist eine Webanwendung zur Versionsverwaltung f\u00fcr Softwareprojekte auf Basis von git.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um Dateien zu manipulieren, vertrauliche Informationen offenzulegen, Cross-Site-Scripting-Angriffe zu starten oder einen Denial-of-Service-Zustand zu verursachen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0697 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0697.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0697 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0697"
},
{
"category": "external",
"summary": "GitLab Patch Release 18.9.2, 18.8.6, 18.7.6 vom 2026-03-11",
"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"
}
],
"source_lang": "en-US",
"title": "GitLab: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-03-11T23:00:00.000+00:00",
"generator": {
"date": "2026-03-12T10:36:30.454+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0697",
"initial_release_date": "2026-03-11T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-03-11T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c18.9.2",
"product": {
"name": "Open Source GitLab \u003c18.9.2",
"product_id": "T051640"
}
},
{
"category": "product_version",
"name": "18.9.2",
"product": {
"name": "Open Source GitLab 18.9.2",
"product_id": "T051640-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:gitlab:gitlab:18.9.2"
}
}
},
{
"category": "product_version_range",
"name": "\u003c18.8.6",
"product": {
"name": "Open Source GitLab \u003c18.8.6",
"product_id": "T051641"
}
},
{
"category": "product_version",
"name": "18.8.6",
"product": {
"name": "Open Source GitLab 18.8.6",
"product_id": "T051641-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:gitlab:gitlab:18.8.6"
}
}
},
{
"category": "product_version_range",
"name": "\u003c18.7.6",
"product": {
"name": "Open Source GitLab \u003c18.7.6",
"product_id": "T051642"
}
},
{
"category": "product_version",
"name": "18.7.6",
"product": {
"name": "Open Source GitLab 18.7.6",
"product_id": "T051642-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:gitlab:gitlab:18.7.6"
}
}
}
],
"category": "product_name",
"name": "GitLab"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-12555",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2025-12555"
},
{
"cve": "CVE-2025-12576",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2025-12576"
},
{
"cve": "CVE-2025-12697",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2025-12697"
},
{
"cve": "CVE-2025-12704",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2025-12704"
},
{
"cve": "CVE-2025-13690",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2025-13690"
},
{
"cve": "CVE-2025-13929",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2025-13929"
},
{
"cve": "CVE-2025-14513",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2025-14513"
},
{
"cve": "CVE-2026-0602",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2026-0602"
},
{
"cve": "CVE-2026-1069",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2026-1069"
},
{
"cve": "CVE-2026-1090",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2026-1090"
},
{
"cve": "CVE-2026-1230",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2026-1230"
},
{
"cve": "CVE-2026-1663",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2026-1663"
},
{
"cve": "CVE-2026-1732",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2026-1732"
},
{
"cve": "CVE-2026-3848",
"product_status": {
"known_affected": [
"T051642",
"T051640",
"T051641"
]
},
"release_date": "2026-03-11T23:00:00.000+00:00",
"title": "CVE-2026-3848"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…