—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in GitLab

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Gitlab versions prior to versions 18.8.4, 18.7.4 and 18.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Overview

Multiple vulnerabilities have been reported in GitLab CE/EE that could allow an attacker to steal sensitive information, perform server-side request forgery, bypass authorization controls, conduct cross-site scripting and HTML injection attacks, manipulate application data, and cause denial-of-service conditions on the targeted system.

Target Audience:

Organizations and individuals operating self-managed GitLab CE/EE instances.

Risk Assessment:

Risk of unauthorized access, privilege escalation, information disclosure, improper access control, input validation abuse, and denial-of-service conditions.

Impact Assessment:

Potential for unauthorized data access, data manipulation, and service disruption.

Description

GitLab is a web-based DevOps platform that provides tools for software development, including source code management, continuous integration and continuous deployment. It is available in both open-source Community Edition (CE) and Enterprise Edition (EE) versions.

Multiple vulnerabilities exist in GitLab CE/EE due to improper input validation issues, incorrect authorization checks, improper filtering, access control weaknesses, encoding flaws, and insufficient request handling. An attacker could exploit these vulnerabilities by injecting or executing specially crafted requests or content on the targeted system.

Successful exploitation of these vulnerabilities could allow an attacker to steal sensitive information, perform server-side request forgery, bypass authorization controls, conduct cross-site scripting and HTML injection attacks, manipulate application data, and cause denial-of-service conditions on the targeted system.

Solution

Apply appropriate updates as mentioned:

https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/

Vendor Information

Gitlab

https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/

References

 

https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/

CVE Name

CVE-2025-7659

CVE-2025-8099

CVE-2025-0958

CVE-2025-14560

CVE-2026-0595

CVE-2026-1458

CVE-2026-1456

CVE-2026-1387

CVE-2026-12575

CVE-2026-1094

CVE-2026-12073

CVE-2026-1080

CVE-2025-14592

CVE-2026-1282

CVE-2026-14594

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmUgJQACgkQ3jCgcSdc

ys8hbQ/+MdL/waEZm6NyfQcJwZPuK5FNc1Qk2pmzrTY+3iNhsRAb65DZQhbYZOgH

an7XQMjGqS2LIVDl4zE2Uob01+JLr4r3o/tOliFm5mQWHqNdwszlN/VvEoIMCb/O

kX8WHrK0X0i+CYUVOPP1eb4pH85q1A4bfgdAkDl0lC5XYeo2mtcgPSLN0WgGqT0W

kBSkPy80Gs7U4toF5SljTzt3SUHELhUcRwZ69KMRtcdsmbPtp9ORPHt+1yuXiIXq

xbOCvAD87vcv+1Mijwp9ANXn+vzhYigWwubr8D/HXiisutoYA+oHBa71O+GSaXuR

IWznNRsuBchmBECxsLRiYMGYcVFjJLK2H+p5zMtjYGv8FKR0B57geCq8ISgZ3O2w

fggXx+wNXjbVrWRAQ5fo4bNevT4T1XvWy7/ZZQnbURep4iZnejruPYLeBE9Xn4Qt

Fst49esQr1j66Nl/jWEV7AUU84VQltpE8zkklZqkWQN2AW8tSiAdbITCkqAKu2yA

HVdCG2sK4c7QcjhNAEm2+YRZAZgSrTX+PNqns12sThB0aL6u48NwOvQFWwT5XJAY

39J4C6GfTfIAPDJIDQUy0N3upyPpkZLe7vLAUUTSrcwkftYHe/8yM7wd94r3c/Np

VGHlZXmNzXmiMP3B6tQGqV/UJnfRfibt55oHr8lHzqfYhm+0sqc=

=YnUa

—–END PGP SIGNATURE—–