Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2021-39895 | In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source. | 6.0 | 0.98% | 2021-11-04 | 2026-06-17 |
| CVE-2020-13327 | An issue has been discovered in GitLab Runner affecting all versions starting from 13.4.0 before 13.4.2, all versions starting from 13.3.0 before 13.3.7, all versions starting from 13.2.0 before 13.2.10. Insecure Runner Configuration in Kubernetes Environments | 6.0 | 0.71% | 2020-10-22 | 2026-06-16 |
| CVE-2026-1466 | Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like i | 6.1 | 0.29% | 2026-01-28 | 2026-06-17 |
| CVE-2025-7066 | Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110 and CVE-2024-12326), video and audio. However, it was possible to bypass this check by sending a manipulated MIME type containing a comma and an other MIME type like tex | 6.1 | 0.26% | 2025-07-04 | 2026-06-17 |
| CVE-2024-8648 | An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL. | 6.1 | 0.36% | 2024-11-14 | 2026-06-17 |
| CVE-2024-12326 | Jirafeau normally prevents browser preview for SVG files due to the possibility that manipulated SVG files could be exploited for cross site scripting. This was done by storing the MIME type of a file and preventing the browser preview for MIME type image/svg+xml. This issue was first reported in CVE-2022-30110. However, it was still possible to do a browser preview of a SVG file by sending a manipulated MIME type during the upload, where the case of any letter in image/svg+xml had been changed | 6.1 | 0.23% | 2024-12-06 | 2026-06-17 |
| CVE-2023-0042 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2. GitLab Pages allows redirection to arbitrary protocols. | 6.1 | 0.40% | 2023-01-11 | 2026-06-17 |
| CVE-2022-3513 | An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A specially crafted payload could lead to a reflected XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims on self-hosted instances running without strict CSP. | 6.1 | 0.74% | 2023-04-05 | 2026-06-17 |
| CVE-2022-1460 | An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations on scheduled pipelines allowing a malicious user to run a pipeline in the context of another user. | 6.1 | 1.09% | 2022-05-11 | 2026-06-17 |
| CVE-2022-0891 | A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact | 6.1 | 1.54% | 2022-03-10 | 2026-06-17 |
| CVE-2021-22227 | A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it | 6.1 | 0.95% | 2021-07-07 | 2026-06-16 |
| CVE-2021-22223 | Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link | 6.1 | 0.95% | 2021-07-06 | 2026-06-16 |
| CVE-2021-22220 | An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks. | 6.1 | 0.74% | 2021-06-08 | 2026-06-16 |
| CVE-2020-13278 | Reflected Cross-Site Scripting vulnerability in Modules.php in RosarioSIS Student Information System < 6.5.1 allows remote attackers to execute arbitrary web script via embedding javascript or HTML tags in a GET request. | 6.1 | 1.43% | 2020-08-12 | 2026-06-16 |
| CVE-2020-13271 | A Stored Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code in the blobs API in all previous GitLab CE/EE versions through 13.0.1 | 6.1 | 1.53% | 2020-06-10 | 2026-06-16 |
| CVE-2020-13269 | A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1 | 6.1 | 1.75% | 2020-06-10 | 2026-06-16 |
| CVE-2020-13267 | A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard in GitLab CE/EE 12.8 and later through 13.0.1 | 6.1 | 1.75% | 2020-06-10 | 2026-06-16 |
| CVE-2020-13262 | Client-Side code injection through Mermaid markup in GitLab CE/EE 12.9 and later through 13.0.1 allows a specially crafted Mermaid payload to PUT requests on behalf of other users via clicking on a link | 6.1 | 0.87% | 2020-06-19 | 2026-06-16 |
| CVE-2022-2417 | Insufficient validation in GitLab CE/EE affecting all versions from 12.10 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an authenticated and authorised user to import a project that includes branch names which are 40 hexadecimal characters, which could be abused in supply chain attacks where a victim pinned to a specific Git commit of the project. | 6.2 | 0.61% | 2022-08-05 | 2026-06-17 |
| CVE-2021-22184 | An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted. | 6.2 | 0.30% | 2021-03-26 | 2026-06-16 |