Aggregates CVE and security vulnerability intelligence across all GitLab-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting, vendor risk path handling, and vendor risk ssrf and related problems; some flaws may lead to vendor impact session compromise and vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-12562 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query complexity limits. | [email protected] | 7.5 | 0.76% | 2025-12-10 | 2026-06-17 |
| CVE-2024-9183 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 prior to 18.4.5, 18.5 prior to 18.5.3, and 18.6 prior to 18.6.1 that could have allowed an authenticated user to obtain credentials from higher-privileged users and perform actions in their context under specific conditions. | [email protected] | 7.7 | 0.21% | 2025-12-05 | 2026-06-17 |
| CVE-2025-7449 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing. | [email protected] | 6.5 | 0.36% | 2025-11-26 | 2026-06-17 |
| CVE-2025-6195 | GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions. | [email protected] | 4.3 | 0.27% | 2025-11-26 | 2026-06-17 |
| CVE-2025-13611 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.5.5 and 18.6 before 18.6.3 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions. | [email protected] | 2.0 | 0.21% | 2025-11-26 | 2026-06-17 |
| CVE-2025-12653 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests. | [email protected] | 6.5 | 0.25% | 2025-11-26 | 2026-06-17 |
| CVE-2025-12571 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON payloads. | [email protected] | 7.5 | 0.45% | 2025-11-26 | 2026-06-17 |
| CVE-2025-9825 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API. | [email protected] | 5.0 | 0.30% | 2025-11-21 | 2026-06-17 |
| CVE-2025-12983 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to cause a denial of service condition by submitting specially crafted markdown content with nested formatting patterns. | [email protected] | 3.5 | 0.37% | 2025-11-15 | 2026-06-17 |
| CVE-2025-7736 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to bypass access control restrictions and view GitLab Pages content intended only for project members by authenticating through OAuth providers. | [email protected] | 3.1 | 0.27% | 2025-11-15 | 2026-06-17 |
| CVE-2025-7000 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.6 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that, under specific conditions, could have allowed unauthorized users to view confidential branch names by accessing project issues with related merge requests. | [email protected] | 4.3 | 0.35% | 2025-11-15 | 2026-06-17 |
| CVE-2025-6945 | GitLab has remediated an issue in GitLab EE affecting all versions from 17.8 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to leak sensitive information from confidential issues by injecting hidden prompts into merge request comments. | [email protected] | 3.5 | 0.27% | 2025-11-15 | 2026-06-17 |
| CVE-2025-6171 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even when repository access was disabled. | [email protected] | 5.3 | 0.26% | 2025-11-15 | 2026-06-17 |
| CVE-2025-2615 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections. | [email protected] | 4.3 | 0.27% | 2025-11-15 | 2026-06-17 |
| CVE-2025-11990 | GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses. | [email protected] | 3.1 | 0.26% | 2025-11-15 | 2026-06-17 |
| CVE-2025-11865 | An issue has been discovered in GitLab EE affecting all versions from 18.1 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that, under certain circumstances, could have allowed an attacker to remove Duo flows of another user. | [email protected] | 4.3 | 0.20% | 2025-11-15 | 2026-06-17 |
| CVE-2025-11702 | GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects. | [email protected] | 8.5 | 0.57% | 2025-10-29 | 2026-06-17 |
| CVE-2025-6601 | GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.3, and 18.5 before 18.5.1 that under certain conditions could have allowed authenticated users to gain unauthorized project access by exploiting the access request approval workflow. | [email protected] | 2.7 | 0.27% | 2025-10-26 | 2026-06-17 |
| CVE-2025-11989 | GitLab has remediated an issue in GitLab EE affecting all versions from 17.6.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker to execute unauthorized quick actions by including malicious commands in specific descriptions. | [email protected] | 3.7 | 0.16% | 2025-10-26 | 2026-06-17 |
| CVE-2025-11974 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.7 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an unauthenticated attacker to create a denial of service condition by uploading large files to specific API endpoints. | [email protected] | 6.5 | 0.35% | 2025-10-26 | 2026-06-17 |