Bitnami package
gitlab
pkg:bitnami/gitlab
Vulnerabilities (1,073)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-14103 | — | >= 17.7.0, < 18.7.5 | 18.7.5 | Feb 25, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certa | ||
| CVE-2025-7659 | — | >= 18.2.0, < 18.6.6 | 18.6.6 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to steal tokens and access private repositories by abusing incomplete validation in the Web ID | ||
| CVE-2025-8099 | — | >= 10.8.0, < 18.6.6 | 18.6.6 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.8 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries. | ||
| CVE-2025-12073 | — | >= 18.0.0, < 18.6.6 | 18.6.6 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an authenticated user to perform server-side request forgery against internal services by b | ||
| CVE-2025-14560 | — | >= 17.1.0, < 18.6.6 | 18.6.6 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting | ||
| CVE-2025-14594 | — | >= 17.11.0, < 18.6.6 | 18.6.6 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to view certain pipeline values by querying the API. | ||
| CVE-2025-14592 | — | >= 18.6.0, < 18.6.6 | 18.6.6 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations thr | ||
| CVE-2026-0595 | — | >= 13.9.0, < 18.6.6 | 18.6.6 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML in | ||
| CVE-2026-0958 | — | >= 18.4.0, < 18.6.6 | 18.6.6 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middl | ||
| CVE-2026-1094 | — | >= 18.8.0, < 18.8.4 | 18.8.4 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI. | ||
| CVE-2026-1282 | — | >= 18.6.0, < 18.6.6 | 18.6.6 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles. | ||
| CVE-2026-1456 | — | >= 18.7.0, < 18.7.4 | 18.7.4 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger expo | ||
| CVE-2026-1458 | — | >= 8.0.0, < 18.6.6 | 18.6.6 | Feb 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files. | ||
| CVE-2026-1751 | — | >= 16.8.0, < 18.5.0 | 18.5.0 | Feb 2, 2026 | A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions. | ||
| CVE-2025-13928 | — | >= 17.7.0, < 18.6.4 | 18.6.4 | Jan 22, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API | ||
| CVE-2025-13927 | — | >= 11.9.0, < 18.6.4 | 18.6.4 | Jan 22, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authenticat | ||
| CVE-2026-0723 | — | >= 18.6.0, < 18.6.4 | 18.6.4 | Jan 22, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting fo | ||
| CVE-2026-1102 | — | >= 12.3.0, < 18.6.4 | 18.6.4 | Jan 22, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication reque | ||
| CVE-2025-13335 | — | >= 17.1.0, < 18.6.4 | 18.6.4 | Jan 22, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wik | ||
| CVE-2025-11224 | — | >= 15.10.0, < 18.3.6 | 18.3.6 | Jan 14, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes prox |
- CVE-2025-14103Feb 25, 2026affected >= 17.7.0, < 18.7.5fixed 18.7.5
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certa
- CVE-2025-7659Feb 11, 2026affected >= 18.2.0, < 18.6.6fixed 18.6.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to steal tokens and access private repositories by abusing incomplete validation in the Web ID
- CVE-2025-8099Feb 11, 2026affected >= 10.8.0, < 18.6.6fixed 18.6.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.8 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.
- CVE-2025-12073Feb 11, 2026affected >= 18.0.0, < 18.6.6fixed 18.6.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an authenticated user to perform server-side request forgery against internal services by b
- CVE-2025-14560Feb 11, 2026affected >= 17.1.0, < 18.6.6fixed 18.6.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting
- CVE-2025-14594Feb 11, 2026affected >= 17.11.0, < 18.6.6fixed 18.6.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to view certain pipeline values by querying the API.
- CVE-2025-14592Feb 11, 2026affected >= 18.6.0, < 18.6.6fixed 18.6.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations thr
- CVE-2026-0595Feb 11, 2026affected >= 13.9.0, < 18.6.6fixed 18.6.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML in
- CVE-2026-0958Feb 11, 2026affected >= 18.4.0, < 18.6.6fixed 18.6.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middl
- CVE-2026-1094Feb 11, 2026affected >= 18.8.0, < 18.8.4fixed 18.8.4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI.
- CVE-2026-1282Feb 11, 2026affected >= 18.6.0, < 18.6.6fixed 18.6.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles.
- CVE-2026-1456Feb 11, 2026affected >= 18.7.0, < 18.7.4fixed 18.7.4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through CPU exhaustion by submitting specially crafted markdown files that trigger expo
- CVE-2026-1458Feb 11, 2026affected >= 8.0.0, < 18.6.6fixed 18.6.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an unauthenticated user to cause denial of service by uploading malicious files.
- CVE-2026-1751Feb 2, 2026affected >= 16.8.0, < 18.5.0fixed 18.5.0
A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions.
- CVE-2025-13928Jan 22, 2026affected >= 17.7.0, < 18.6.4fixed 18.6.4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API
- CVE-2025-13927Jan 22, 2026affected >= 11.9.0, < 18.6.4fixed 18.6.4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authenticat
- CVE-2026-0723Jan 22, 2026affected >= 18.6.0, < 18.6.4fixed 18.6.4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting fo
- CVE-2026-1102Jan 22, 2026affected >= 12.3.0, < 18.6.4fixed 18.6.4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication reque
- CVE-2025-13335Jan 22, 2026affected >= 17.1.0, < 18.6.4fixed 18.6.4
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wik
- CVE-2025-11224Jan 14, 2026affected >= 15.10.0, < 18.3.6fixed 18.3.6
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes prox
Page 6 of 54