GitLab
by GitLab Inc.
Source repositories
CVEs (1,214)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-18649 | 0.04 | — | 0.07 | Nov 29, 2018 | An issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution. | |||
| CVE-2022-1162 | 0.03 | — | 0.76 | Apr 4, 2022 | A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts | |||
| CVE-2020-10977 | 0.03 | — | 0.43 | Apr 8, 2020 | GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects. | |||
| CVE-2013-7316 | 0.03 | — | 0.02 | Jan 24, 2014 | Cross-site scripting (XSS) vulnerability in GitLab 6.0 and other versions before 6.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML file, as demonstrated by README.html. | |||
| CVE-2024-1451 | 0.02 | — | 0.51 | Feb 21, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.1. A crafted payload added to the user profile page could lead to a stored XSS on the client side, allowing attackers to perform arbitrary actions on behalf of victims." | |||
| CVE-2023-0523 | 0.02 | — | 0.01 | Apr 5, 2023 | An issue has been discovered in GitLab affecting all versions starting from 15.6 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. An XSS was possible via a malicious email address for certain instances. | |||
| CVE-2022-3513 | 0.02 | — | 0.01 | Apr 5, 2023 | An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A specially crafted payload could lead to a reflected XSS on the client side which… | |||
| CVE-2025-0314 | 0.01 | — | 0.00 | Jan 24, 2025 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting. | |||
| CVE-2024-4835 | 0.01 | — | 0.01 | May 23, 2024 | A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information. | |||
| CVE-2024-2434 | 0.01 | — | 0.23 | Apr 25, 2024 | An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read. | |||
| CVE-2023-5933 | 0.01 | — | 0.01 | Jan 26, 2024 | An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests. | |||
| CVE-2023-0921 | 0.01 | — | 0.84 | Jun 6, 2023 | A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. | |||
| CVE-2023-1178 | 0.01 | — | 0.01 | May 3, 2023 | An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled… | |||
| CVE-2019-14944 | 0.01 | — | 0.02 | Apr 15, 2023 | An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Gitaly allows injection of command-line flags. This sometimes leads to privilege escalation or remote code execution. | |||
| CVE-2023-1708 | 0.01 | — | 0.01 | Apr 5, 2023 | An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters gets copied from clipboard, allowing unexpected commands to be executed on victim machine. | |||
| CVE-2022-3572 | 0.01 | — | 0.01 | Jan 24, 2023 | A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected… | |||
| CVE-2022-3265 | 0.01 | — | 0.86 | Nov 9, 2022 | A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed… | |||
| CVE-2021-22201 | 0.01 | — | 0.03 | Apr 2, 2021 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server. | |||
| CVE-2026-2370 | 0.00 | — | 0.00 | Mar 29, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain… | |||
| CVE-2025-13078 | 0.00 | — | 0.00 | Mar 25, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain… |
- CVE-2018-18649Nov 29, 2018risk 0.04cvss —epss 0.07
An issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution.
- CVE-2022-1162Apr 4, 2022risk 0.03cvss —epss 0.76
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts
- CVE-2020-10977Apr 8, 2020risk 0.03cvss —epss 0.43
GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.
- CVE-2013-7316Jan 24, 2014risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in GitLab 6.0 and other versions before 6.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML file, as demonstrated by README.html.
- CVE-2024-1451Feb 21, 2024risk 0.02cvss —epss 0.51
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.1. A crafted payload added to the user profile page could lead to a stored XSS on the client side, allowing attackers to perform arbitrary actions on behalf of victims."
- CVE-2023-0523Apr 5, 2023risk 0.02cvss —epss 0.01
An issue has been discovered in GitLab affecting all versions starting from 15.6 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. An XSS was possible via a malicious email address for certain instances.
- CVE-2022-3513Apr 5, 2023risk 0.02cvss —epss 0.01
An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A specially crafted payload could lead to a reflected XSS on the client side which…
- CVE-2025-0314Jan 24, 2025risk 0.01cvss —epss 0.00
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting.
- CVE-2024-4835May 23, 2024risk 0.01cvss —epss 0.01
A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.
- CVE-2024-2434Apr 25, 2024risk 0.01cvss —epss 0.23
An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read.
- CVE-2023-5933Jan 26, 2024risk 0.01cvss —epss 0.01
An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests.
- CVE-2023-0921Jun 6, 2023risk 0.01cvss —epss 0.84
A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.
- CVE-2023-1178May 3, 2023risk 0.01cvss —epss 0.01
An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled…
- CVE-2019-14944Apr 15, 2023risk 0.01cvss —epss 0.02
An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Gitaly allows injection of command-line flags. This sometimes leads to privilege escalation or remote code execution.
- CVE-2023-1708Apr 5, 2023risk 0.01cvss —epss 0.01
An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters gets copied from clipboard, allowing unexpected commands to be executed on victim machine.
- CVE-2022-3572Jan 24, 2023risk 0.01cvss —epss 0.01
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected…
- CVE-2022-3265Nov 9, 2022risk 0.01cvss —epss 0.86
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed…
- CVE-2021-22201Apr 2, 2021risk 0.01cvss —epss 0.03
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.
- CVE-2026-2370Mar 29, 2026risk 0.00cvss —epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain…
- CVE-2025-13078Mar 25, 2026risk 0.00cvss —epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain…
Page 7 of 61