NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。
Assigner(CNA/発行元):[email protected] この条件を外す
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2020-26405 | Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2. | 7.1 | 1.43% | 2020-11-17 | 2026-06-16 |
| CVE-2020-26406 | Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2. | 5.3 | 1.42% | 2020-11-16 | 2026-06-16 |
| CVE-2020-26407 | A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious project | 5.5 | 0.72% | 2020-12-10 | 2026-06-16 |
| CVE-2020-26408 | A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2 that allows an attacker to view limited information in user's private profile | 5.3 | 1.02% | 2020-12-10 | 2026-06-16 |
| CVE-2020-26409 | A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields. | 4.3 | 1.24% | 2020-12-10 | 2026-06-16 |
| CVE-2020-26411 | A potential DOS vulnerability was discovered in all versions of Gitlab starting from 13.4.x (>=13.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2). Using a specific query name for a project search can cause statement timeouts that can lead to a potential DOS if abused. | 4.3 | 1.20% | 2020-12-11 | 2026-06-16 |
| CVE-2020-26412 | Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2 before 13.6.2. | 3.1 | 1.00% | 2020-12-10 | 2026-06-16 |
| CVE-2020-26413 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible. | 5.3 | 33.77% | 2020-12-10 | 2026-06-16 |
| CVE-2020-26414 | An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string. | 4.3 | 1.53% | 2021-01-15 | 2026-06-16 |
| CVE-2020-26415 | Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2. | 4.3 | 0.81% | 2020-12-10 | 2026-06-16 |
| CVE-2020-26416 | Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2. | 4.0 | 0.33% | 2020-12-10 | 2026-06-16 |
| CVE-2020-26417 | Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7. | 5.3 | 1.16% | 2020-12-10 | 2026-06-16 |
| CVE-2020-26418 | Memory leak in Kafka protocol dissector in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file. | 3.1 | 2.96% | 2020-12-11 | 2026-06-16 |
| CVE-2020-26419 | Memory leak in the dissection engine in Wireshark 3.4.0 allows denial of service via packet injection or crafted capture file. | 3.1 | 2.78% | 2020-12-11 | 2026-06-16 |
| CVE-2020-26420 | Memory leak in RTPS protocol dissector in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file. | 3.1 | 2.61% | 2020-12-11 | 2026-06-16 |
| CVE-2020-26421 | Crash in USB HID protocol dissector and possibly other dissectors in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file. | 4.2 | 2.59% | 2020-12-11 | 2026-06-16 |
| CVE-2020-26422 | Buffer overflow in QUIC dissector in Wireshark 3.4.0 to 3.4.1 allows denial of service via packet injection or crafted capture file | 3.7 | 4.67% | 2020-12-21 | 2026-06-16 |
| CVE-2021-22166 | An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method | 5.3 | 1.38% | 2021-01-15 | 2026-06-16 |
| CVE-2021-22167 | An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository | 5.3 | 1.57% | 2021-01-15 | 2026-06-16 |
| CVE-2021-22168 | A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8. | 4.3 | 1.00% | 2021-01-15 | 2026-06-16 |