—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in GitLab Products

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

GitLab versions prior to 18.9.2, 18.8.6 and 18.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Overview

Multiple vulnerabilities have been reported in GitLab CE/EE that could allow a remote attacker to trigger cross-site scripting, disclose sensitive information, bypass security restriction and cause denial of service (DoS) condition on the targeted system.

Target Audience:

Organizations and individuals operating self-managed GitLab CE/EE instances.

Risk Assessment:

Risk of unauthorized access, information disclosure, improper access control, input validation abuse, service unavailability.

 

Impact Assessment:

Potential for unauthorized access to sensitive data, disruption of services.

Description

GitLab is a web-based DevOps platform that provides tools for software development, including source code management, continuous integration and continuous deployment. It is available in both open-source Community Edition (CE) and Enterprise Edition (EE) versions.

Multiple vulnerabilities exist in GitLab CE/EE due to improper sanitization of placeholder content, uncontrolled recursion, improper input validation, improper handling of webhook response data, improper access control, improper filtering and improper authorization validation. An attacker could exploit these vulnerabilities by injecting or executing specially crafted requests or content on the targeted system.

Successful exploitation of these vulnerabilities could allow a remote attacker to trigger cross-site scripting, disclose sensitive information, bypass security restriction and cause denial of service (DoS) condition on the targeted system.

Solution

Apply appropriate updates as mentioned:

https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/

Vendor Information

GitLab

https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/

References

GitLab

https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/

CVE Name

CVE-2026-3848

CVE-2026-1732

CVE-2026-1663

CVE-2026-1230

CVE-2026-1182

CVE-2026-1090

CVE-2026-1069

CVE-2026-0602

CVE-2025-14513

CVE-2025-13929

CVE-2025-13690

CVE-2025-12704

CVE-2025-12697

CVE-2025-12576

CVE-2025-12555

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmm/ez8ACgkQ3jCgcSdc

ys9PBA//QTnIVvhTOsQ7g+ISit1SSsueSMLwUavV3fAzmRVA/AF1H8slIezx5BkT

1M4uAMiOI/yXv8y9KnO4WSznvQGJYq2yfvJtpflJOUxGNt6QbR2qrsuBftSPcea1

60+aOmxPDJ0COndTXkP/FnoawBJoXzylLLhQ19rca7m8ssEl80fvn0S/91VMfcSp

gbTHjCKP1O8QKmSQnBiclemFLpyyNm2pMbwPHGiGbI/Xwn049dJ37B3OHSeT2LVK

OrrfRodQ+3bCle8LEe82GwuEbGB+Xgq/z+KYh4tuIx7F/5vj7QHC4ip11dzmSGQW

ltGTopNkGO+KZpYPmK7bcg2660f5iKgDs8bHriZnLF4KpSDfWtavPxKqX0pCAhhY

atBGgpRqMEcIFLV+DkJKBynJch5mK87Sid5AchtpxzOo/cyrjEw8VIWEjW5+5RWW

lrQGiDBcJ0eBLc/DHQmFgwbeIJn7EJ7wd1IamyrA39Aqez2drX3SRs3eWyigrsHh

wGFuYj5UlNy6mmLX+XIt/fChw8PWQyonvM8vsX59Ch8FVe8npPySQz3J6HvFrneU

iP+arLhSWFeRTPylPsjh1b1plUPRb2lK4XwYRpcBM5LFy+EC7ZERMEgBm1GZDgZ/

TBR4nSAjGujqb/9EVM0xUwAIrANEXcqmjZErgdvbtKyc1/29eyM=

=B5GJ

—–END PGP SIGNATURE—–