—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Gitlab 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Gitlab versions prior to 18.7.1, 18.6.3 and 18.5.5 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Overview

Multiple vulnerabilities have been reported in GitLab CE/EE that could be exploited by remote attacker to trigger cross-site scripting, disclose sensitive information, execute arbitrary code, bypass security restriction and cause denial of service (DoS) condition on the targeted system.

Target Audience:

All organizations and individuals using Gitlab.

Risk Assessment:

Risk of cross site scripting, unauthorized access to sensitive data and service unavailability.

Impact Assessment:

Potential for data theft, sensitive information disclosure and disruption of services.

Description

GitLab is a web-based DevOps platform that provides tools for software development, including source code management, continuous integration and continuous deployment. It is available in both open-source Community Edition (CE) and Enterprise Edition (EE) versions.

Multiple vulnerabilities exist in GitLab due to cross-site scripting issue in GitLab Flavored Markdown placeholders, Web IDE; insufficient input validation; missing authorization checks and improper access control. An attacker could exploit these vulnerabilities by sending specially crafted request.

Successful exploitation of these vulnerabilities could allow a remote attacker to trigger cross-site scripting, disclose sensitive information, execute arbitrary code, bypass security restriction and cause denial of service (DoS) condition on the targeted system.

Solution

Apply appropriate updates as mentioned:

https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/

Vendor Information

Gitlab

https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/

References

 

https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/

CVE Name

CVE-2025-9222

CVE-2025-13761

CVE-2025-13772

CVE-2025-13781

CVE-2025-10569

CVE-2025-11246

CVE-2025-3950

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmlnraoACgkQ3jCgcSdc

ys+ivw//YGKN2/gU3/LL7F9r4drdmjd+FZHFd28bI8vKmq4hWy3Iy2f47Y7G2/2R

+DUpNFWPDq9x5eCJ9lixt+cKFZJcwDMdOHrSyC1t6JalxHV2k69lD+KiaNdNj1bl

bu2VVHizZgjySxqDUADG/MuquAeomQVeB6s4WYKYSXSTQcFL0tPNL3L4uAG93fXz

mXM3jJ3Irj437Qg9ULlrRVHzQuCT7FoLNGlqDTp93zqVn4AkqEdwVJ/vjDb6m3hm

tYzwq5xvbUOeg0tpYtL764Sc3irYwHNYovo9xZB5IcNGqmcNd6Zgg+EHAYGYMz4j

30Aw+QOnXpA2ubrvLCsFtJz13TpPPTGkjZbMD02ziovm/kYUpPHdM6BO0WNkfbvM

7M4K5I6hpij/JD5SAJ/UHw6tcWIsg22U8OBvkQt1czh5kMLSIF5LymNlkSy8JEP/

vdNG/Wu6/tRaYihPBzSeUSyTzkpDBMfgPXmPQkPntB0hUbfe9flcN0zQZC2coodR

OQD6WZ0FhQvk4N++vSHsFKCrMqj/j+mK1OuOYSuUIGPRYmmiaDdI2DfGGY/7axJQ

N4H6lPwBhyPm2n1uBg8DF+kmOaDRECfIJQ90e/DmLWg6sXA3tg/tzrekqty+zoY7

qBYFSymX2o4HaaNPxliKWLgpaz6+8jgyOhLkixrlu1CsF8vpkmk=

=xCl1

—–END PGP SIGNATURE—–