Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-12576 | — | >= 9.3.0, < 18.7.6 | 18.7.6 | Mar 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that under certain conditions could have allowed an authenticated user to cause a denial of service due to improper handling of webhook respons | ||
| CVE-2025-12697 | — | >= 15.5.0, < 18.7.6 | 18.7.6 | Mar 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions. | ||
| CVE-2025-12704 | — | >= 18.2.0, < 18.7.6 | 18.7.6 | Mar 11, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization | ||
| CVE-2025-13690 | — | >= 16.11.0, < 18.7.6 | 18.7.6 | Mar 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause a denial of service condition due to improper input validation on webhook custom heade | ||
| CVE-2025-13929 | — | >= 10.0.0, < 18.7.6 | 18.7.6 | Mar 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by issuing specially crafted requests to repository archive endpo | ||
| CVE-2025-14513 | — | >= 16.11.0, < 18.7.6 | 18.7.6 | Mar 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing speci | ||
| CVE-2026-0602 | — | >= 15.6.0, < 18.7.6 | 18.7.6 | Mar 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to i | ||
| CVE-2026-1069 | — | >= 18.9.0, < 18.9.2 | 18.9.2 | Mar 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances. | ||
| CVE-2026-1090 | — | >= 10.6.0, < 18.7.6 | 18.7.6 | Mar 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in a browser du | ||
| CVE-2026-1230 | — | >= 1.0.0, < 18.7.6 | 18.7.6 | Mar 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause repository downloads to contain different code than displayed in the web interface due t | ||
| CVE-2026-1663 | — | >= 14.4.0, < 18.7.6 | 18.7.6 | Mar 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with group import permissions to create labels in private projects due to improper authorization | ||
| CVE-2026-1732 | — | >= 12.6.0, < 18.7.6 | 18.7.6 | Mar 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose confidential issue titles due to improper filtering under certain circumstances. | ||
| CVE-2025-14511 | — | >= 12.2.0, < 18.7.5 | 18.7.5 | Feb 25, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event | ||
| CVE-2026-0752 | — | >= 16.2.0, < 18.7.5 | 18.7.5 | Feb 25, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI. | ||
| CVE-2026-1388 | — | >= 9.2.0, < 18.7.5 | 18.7.5 | Feb 25, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge req | ||
| CVE-2026-1662 | — | >= 14.4.0, < 18.7.5 | 18.7.5 | Feb 25, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause Denial of Service by sending specially crafted requests to the Jira events endpoint. | ||
| CVE-2026-1747 | — | >= 17.11.0, < 18.7.5 | 18.7.5 | Feb 25, 2026 | GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to prote | ||
| CVE-2026-1725 | — | >= 18.9.0, < 18.9.1 | 18.9.1 | Feb 25, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 before 18.9.1 that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint. | ||
| CVE-2026-2845 | — | >= 11.2.0, < 18.7.5 | 18.7.5 | Feb 25, 2026 | An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an authenticated user to cause denial of service by exploiting a Bitbucket Server import endpoint via repeatedly sending | ||
| CVE-2025-3525 | — | >= 9.0.0, < 18.7.5 | 18.7.5 | Feb 25, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have, under certain circumstances, allowed an authenticated user with certain access to cause Denial of Service by creating speciall |
- CVE-2025-12576Mar 11, 2026affected >= 9.3.0, < 18.7.6fixed 18.7.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that under certain conditions could have allowed an authenticated user to cause a denial of service due to improper handling of webhook respons
- CVE-2025-12697Mar 11, 2026affected >= 15.5.0, < 18.7.6fixed 18.7.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions.
- CVE-2025-12704Mar 11, 2026affected >= 18.2.0, < 18.7.6fixed 18.7.6
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization
- CVE-2025-13690Mar 11, 2026affected >= 16.11.0, < 18.7.6fixed 18.7.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause a denial of service condition due to improper input validation on webhook custom heade
- CVE-2025-13929Mar 11, 2026affected >= 10.0.0, < 18.7.6fixed 18.7.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by issuing specially crafted requests to repository archive endpo
- CVE-2025-14513Mar 11, 2026affected >= 16.11.0, < 18.7.6fixed 18.7.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing speci
- CVE-2026-0602Mar 11, 2026affected >= 15.6.0, < 18.7.6fixed 18.7.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to i
- CVE-2026-1069Mar 11, 2026affected >= 18.9.0, < 18.9.2fixed 18.9.2
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances.
- CVE-2026-1090Mar 11, 2026affected >= 10.6.0, < 18.7.6fixed 18.7.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user, when the `markdown_placeholders` feature flag was enabled, to inject JavaScript in a browser du
- CVE-2026-1230Mar 11, 2026affected >= 1.0.0, < 18.7.6fixed 18.7.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause repository downloads to contain different code than displayed in the web interface due t
- CVE-2026-1663Mar 11, 2026affected >= 14.4.0, < 18.7.6fixed 18.7.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with group import permissions to create labels in private projects due to improper authorization
- CVE-2026-1732Mar 11, 2026affected >= 12.6.0, < 18.7.6fixed 18.7.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose confidential issue titles due to improper filtering under certain circumstances.
- CVE-2025-14511Feb 25, 2026affected >= 12.2.0, < 18.7.5fixed 18.7.5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event
- CVE-2026-0752Feb 25, 2026affected >= 16.2.0, < 18.7.5fixed 18.7.5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI.
- CVE-2026-1388Feb 25, 2026affected >= 9.2.0, < 18.7.5fixed 18.7.5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge req
- CVE-2026-1662Feb 25, 2026affected >= 14.4.0, < 18.7.5fixed 18.7.5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause Denial of Service by sending specially crafted requests to the Jira events endpoint.
- CVE-2026-1747Feb 25, 2026affected >= 17.11.0, < 18.7.5fixed 18.7.5
GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to prote
- CVE-2026-1725Feb 25, 2026affected >= 18.9.0, < 18.9.1fixed 18.9.1
GitLab has remediated an issue in GitLab CE/EE affecting versions from 18.9 before 18.9.1 that could have under certain conditions, allowed an unauthenticated user to cause denial of service by sending specially crafted requests to a CI jobs API endpoint.
- CVE-2026-2845Feb 25, 2026affected >= 11.2.0, < 18.7.5fixed 18.7.5
An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an authenticated user to cause denial of service by exploiting a Bitbucket Server import endpoint via repeatedly sending
- CVE-2025-3525Feb 25, 2026affected >= 9.0.0, < 18.7.5fixed 18.7.5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have, under certain circumstances, allowed an authenticated user with certain access to cause Denial of Service by creating speciall
Page 5 of 54