Gitlab Exploits

431 exploits tracked across all sources.

Sort: Newest Stars
CVE-2022-2229 GITLAB HIGH
GitLab CE/EE <14.10.5-15.0.4-15.1.1 - Info Disclosure
An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in public projects or private projects they're a member of.
by hackerone_a0xnirudh
CVSS 7.5
CVE-2023-6051 GITLAB MEDIUM
GitLab CE/EE <16.4.4, <16.5.4, <16.6.2 - Info Disclosure
An issue has been discovered in GitLab CE/EE affecting all versions before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when source code or installation packages are pulled from a specific tag.
by hackerone_a0xnirudh
CVSS 5.7
CVE-2024-9387 GITLAB MEDIUM
Gitlab < 17.4.6 - Open Redirect
An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint.
by hackerone_dug
CVSS 6.4
CVE-2026-21858 GITLAB CRITICAL
N8n < 1.121.0 - Improper Input Validation
n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.
by sastraadiwiguna-purpleeliteteaming
CVSS 10.0
CVE-2026-22804 GITLAB HIGH
Termix < 1.10.0 - XSS
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0.
by ThemeHackers
CVSS 8.0
CVE-2026-0628 GITLAB HIGH
Google Chrome < 143.0.7499.192 - Missing Authorization
Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)
by sastraadiwiguna-purpleeliteteaming
CVSS 8.8
CVE-2025-22869 GITLAB HIGH
GO SSH < 0.35.0 - Resource Allocation Without Limits
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
by sempernow
CVSS 7.5
CVE-2025-24071 GITLAB MEDIUM
Microsoft Windows 10 1507 < 10.0.10240.20947 - Information Disclosure
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
by ThemeHackers
CVSS 6.5
CVE-2025-29972 GITLAB CRITICAL
Azure Storage Resource Provider - SSRF
Server-side request forgery (ssrf) in Azure Storage Resource Provider allows an authorized attacker to perform spoofing over a network.
by ThemeHackers
CVSS 9.9
CVE-2025-29927 GITLAB CRITICAL
Next.js Middleware Bypass
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
by ThemeHackers
CVSS 9.1
CVE-2025-32711 GITLAB CRITICAL
Microsoft 365 Copilot - Command Injection
Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
by daryllundy
CVSS 9.3
CVE-2025-48384 GITLAB HIGH
Git - Info Disclosure
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
by testdjshan
CVSS 8.0
CVE-2025-48384 GITLAB HIGH
Git - Info Disclosure
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
by burpsiteburp
CVSS 8.0
CVE-2025-8088 GITLAB HIGH
Rarlab Winrar < 7.13 - Path Traversal
A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.
by patricnilackshan
CVSS 8.8
CVE-2025-49844 GITLAB CRITICAL
Redis < 6.2.20 - Use After Free
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
by patricnilackshan
CVSS 9.9
CVE-2025-32463 GITLAB CRITICAL
Sudo <1.9.17p1 - Privilege Escalation
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
by FR4NC0X
CVSS 9.3
CVE-2025-32901 GITLAB MEDIUM
KDE Connect <1.33.0 - DoS
In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash.
by randshell
CVSS 4.3
CVE-2025-32900 GITLAB MEDIUM
KDE Connect <2025-04-18 - Info Disclosure
In the KDE Connect information-exchange protocol before 2025-04-18, a packet can be crafted to temporarily change the displayed information about a device, because broadcast UDP is used. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59.
by randshell
CVSS 4.3
CVE-2025-32899 GITLAB MEDIUM
KDE Connect <1.33.0 - DoS
In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP.
by randshell
CVSS 4.3
CVE-2025-32898 GITLAB MEDIUM
KDE Connect <2025-04-18 - Info Disclosure
The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59.
by randshell
CVSS 4.7
CVE-2025-32463 GITLAB CRITICAL
Sudo <1.9.17p1 - Privilege Escalation
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
by lowercasenumbers
CVSS 9.3
CVE-2025-30208 GITLAB MEDIUM
Vite - Arbitrary File Read
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
by ThemeHackers
CVSS 5.3
CVE-2025-10035 GITLAB CRITICAL
Fortra Goanywhere Managed File Transfer < 7.6.3 - Command Injection
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
by ThemeHackers
CVSS 10.0
CVE-2025-8088 GITLAB HIGH
Rarlab Winrar < 7.13 - Path Traversal
A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.
by ThemeHackers
CVSS 8.8
CVE-2025-55182 GITLAB CRITICAL
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
by python
CVSS 10.0
By Source
All 431 Exploitdb 50,196 Writeup 43,060 Nomisec 19,721 Metasploit 3,028 Github 2,086 Vulncheck_xdb 887 Inthewild 518 Gitlab 431 Gitee 415 Patchapalooza 312
By Language
text 31,307 ruby 5,759 python 5,758 c 3,536 perl 2,854 html 2,051 php 1,332 bash 459 java 359 javascript 255 c++ 242 shell 54 go 38 postscript 25 xml 24