VYPR

Vendor CVEs

GitLab Inc.

All CVEs

1,397 total · sorted by risk
  • CVE-2025-9484MedApr 8, 2026
    risk 0.28cvss 4.3epss 0.00

    GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL…

  • CVE-2021-39904MedNov 5, 2021
    risk 0.28cvss 4.3epss 0.01

    An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows a Merge Request creator to resolve discussions…

  • CVE-2018-14606MedJul 27, 2018
    risk 0.28cvss 5.4epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. XSS can occur via a Milestone name during a promotion.

  • CVE-2018-14605MedJul 27, 2018
    risk 0.28cvss 5.4epss 0.01

    An issue was discovered in GitLab Community and Enterprise Edition before 10.8.7, 11.0.x before 11.0.5, and 11.1.x before 11.1.2. XSS can occur in the branch name during a Web IDE file commit.

  • CVE-2017-0920MedMar 22, 2018
    risk 0.28cvss 4.3epss 0.01

    GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab…

  • CVE-2026-6976LowJun 11, 2026
    risk 0.24cvss 3.7epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to hide changes from merge request…

  • CVE-2026-7471LowMay 14, 2026
    risk 0.23cvss 3.5epss 0.00

    GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with control of a virtual registry upstream to make requests to internal hosts due to improper…

  • CVE-2026-3254LowApr 22, 2026
    risk 0.23cvss 3.5epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox.

  • CVE-2023-7028KEVJan 12, 2024
    risk 0.22cvss epss 0.95

    An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could…

  • CVE-2026-3553LowJun 11, 2026
    risk 0.20cvss 3.1epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to access confidential issue details due to incorrect authorization…

  • CVE-2026-2900LowMay 14, 2026
    risk 0.18cvss 2.7epss 0.00

    GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that when instance-level approval rule editing prevention was enabled, could have allowed an authenticated user with Maintainer permissions…

  • CVE-2025-9957LowApr 22, 2026
    risk 0.18cvss 2.7epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user with project owner permissions to bypass group fork prevention…

  • CVE-2026-4916LowApr 8, 2026
    risk 0.18cvss 2.7epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with custom role permissions to demote or remove higher-privileged group members due to…

  • CVE-2021-22175KEVJun 11, 2021
    risk 0.18cvss epss 0.53

    When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled

  • CVE-2026-9694LowJun 11, 2026
    risk 0.17cvss 2.6epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary…

  • CVE-2026-6883LowMay 14, 2026
    risk 0.17cvss 2.6epss 0.00

    GitLab has remediated an issue in GitLab EE affecting all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to bypass merge request approval requirements due to improper cleanup of orphaned policy…

  • CVE-2021-39935KEVDec 13, 2021
    risk 0.17cvss epss 0.30

    An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API

  • CVE-2021-39911LowNov 5, 2021
    risk 0.11cvss 1.7epss 0.01

    An improper access control flaw in all versions of GitLab CE/EE starting from 13.9 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 exposes private email address of Issue and Merge Requests assignee to Webhook data…

  • CVE-2023-2825May 26, 2023
    risk 0.10cvss epss 0.72

    An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.

  • CVE-2022-2992Oct 17, 2022
    risk 0.10cvss epss 0.86

    A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.

  • CVE-2021-4191Mar 28, 2022
    risk 0.10cvss epss 0.80

    An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.

  • CVE-2023-2442Jun 7, 2023
    risk 0.07cvss epss 0.96

    An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A specially crafted merge request could lead to a stored XSS on the client side which allows attackers to perform arbitrary…

  • CVE-2022-2185Jul 1, 2022
    risk 0.07cvss epss 0.77

    A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code…

  • CVE-2021-22214Jun 8, 2021
    risk 0.07cvss epss 0.28

    When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited

  • CVE-2020-26413Dec 11, 2020
    risk 0.07cvss epss 0.34

    An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.

  • CVE-2022-0735Mar 28, 2022
    risk 0.06cvss epss 0.13

    An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorised user was able to steal runner registration tokens through an…

  • CVE-2013-4490May 13, 2014
    risk 0.06cvss epss 0.42

    The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands via shell metacharacters in the public key.

  • CVE-2023-5612Jan 26, 2024
    risk 0.05cvss epss 0.04

    An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled.

  • CVE-2023-0050Mar 9, 2023
    risk 0.05cvss epss 0.92

    An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A specially crafted Kroki diagram could lead to a stored XSS on the client side which…

  • CVE-2022-2884Oct 17, 2022
    risk 0.05cvss epss 0.76

    A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint

  • CVE-2018-19571Jul 10, 2019
    risk 0.05cvss epss 0.28

    GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.

  • CVE-2024-0402Jan 26, 2024
    risk 0.04cvss epss 0.03

    An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.

  • CVE-2023-2164Aug 1, 2023
    risk 0.04cvss epss 0.64

    An issue has been discovered in GitLab affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to trigger a stored XSS vulnerability via user…

  • CVE-2018-18649Nov 29, 2018
    risk 0.04cvss epss 0.07

    An issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution.

  • CVE-2022-1162Apr 4, 2022
    risk 0.03cvss epss 0.76

    A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts

  • CVE-2020-10977Apr 8, 2020
    risk 0.03cvss epss 0.43

    GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.

  • CVE-2013-7316Jan 24, 2014
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in GitLab 6.0 and other versions before 6.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML file, as demonstrated by README.html.

  • CVE-2024-1451Feb 21, 2024
    risk 0.02cvss epss 0.51

    An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.1. A crafted payload added to the user profile page could lead to a stored XSS on the client side, allowing attackers to perform arbitrary actions on behalf of victims."

  • CVE-2023-0523Apr 5, 2023
    risk 0.02cvss epss 0.01

    An issue has been discovered in GitLab affecting all versions starting from 15.6 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. An XSS was possible via a malicious email address for certain instances.

  • CVE-2022-3513Apr 5, 2023
    risk 0.02cvss epss 0.01

    An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A specially crafted payload could lead to a reflected XSS on the client side which…

  • CVE-2025-0314Jan 24, 2025
    risk 0.01cvss epss 0.00

    An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting.

  • CVE-2024-4835May 23, 2024
    risk 0.01cvss epss 0.01

    A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.

  • CVE-2024-2434Apr 25, 2024
    risk 0.01cvss epss 0.23

    An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read.

  • CVE-2023-5933Jan 26, 2024
    risk 0.01cvss epss 0.01

    An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests.

  • CVE-2023-0921Jun 6, 2023
    risk 0.01cvss epss 0.84

    A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.

  • CVE-2023-1178May 3, 2023
    risk 0.01cvss epss 0.01

    An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled…

  • CVE-2019-14944Apr 15, 2023
    risk 0.01cvss epss 0.02

    An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Gitaly allows injection of command-line flags. This sometimes leads to privilege escalation or remote code execution.

  • CVE-2023-1708Apr 5, 2023
    risk 0.01cvss epss 0.01

    An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters gets copied from clipboard, allowing unexpected commands to be executed on victim machine.

  • CVE-2022-3572Jan 24, 2023
    risk 0.01cvss epss 0.01

    A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected…

  • CVE-2022-3265Nov 9, 2022
    risk 0.01cvss epss 0.86

    A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed…

Page 3 of 28