Skip to main content

Gitlab

Vendor security scorecard – 164 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 508
164
CVEs
6
Critical
44
High
0
KEV
34
PoC
20
Unpatched C/H
68.3%
Patch Rate
0.1%
Avg EPSS

Severity Breakdown

CRITICAL
6
HIGH
44
MEDIUM
93
LOW
21

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-48801 Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by submitting tens of KB of repeated email/link-like text. The core public API LinkifyIt.prototype.match runs an O(N²) scan loop that re-slices the input and re-runs unanchored fuzzy regex searches once per match, so 64 KB of "a@b.com" burns ~2.5 s of single-threaded CPU and 128 KB ~10 s. The flaw is inherited by markdown-it (~21.6M weekly npm downloads) whenever linkify:true is set, exposing forums, chat, wikis and AI chat UIs; publicly available exploit code (a PoC in the GHSA advisory) exists, but there is no evidence of active exploitation. HIGH 8.7 0.4% 64
PoC
CVE-2026-8589 Stored cross-site scripting and account integrity abuse in GitLab Enterprise Edition versions 13.1.4 through 18.10.7, 18.11 prior to 18.11.5, and 19.0 prior to 19.0.2 allows an authenticated low-privileged user to inject unsanitized input into certain group setting fields and add unauthorized email addresses to a targeted user's account. Publicly available exploit code exists via a HackerOne report, though EPSS exploitation probability remains very low at 0.02% and the SSVC framework rates current exploitation as 'none' with total technical impact when successful. HIGH 8.7 0.0% 64
PoC
CVE-2026-10087 Stored cross-site scripting in GitLab Enterprise Edition's Analytics Dashboard allows an authenticated developer-role user to execute arbitrary client-side JavaScript in the browser of a targeted user, leveraging improper input sanitization. The flaw affects all 17.1 through 18.10.x, 18.11.x, and 19.0.x branches before fixed releases, and publicly available exploit code exists via a HackerOne report, raising the realistic risk of opportunistic abuse against multi-tenant GitLab instances. HIGH 8.7 0.0% 64
PoC
CVE-2026-6552 Account takeover in GitLab Enterprise Edition versions 15.5 through 19.0.2 allows an authenticated group Owner to hijack other group members' accounts through improper authorization in the Group SAML identity management functionality. Publicly available exploit code exists via a HackerOne report, and GitLab released patched versions 18.10.8, 18.11.5, and 19.0.2 on 2026-06-10. The flaw stems from CWE-639 (Authorization Bypass Through User-Controlled Key) and yields a scope-changing high-impact compromise per CVSS 3.1. HIGH 8.7 0.0% 64
PoC
CVE-2026-3857 A Cross-Site Request Forgery (CSRF) vulnerability in GitLab Community Edition and Enterprise Edition allows unauthenticated attackers to execute arbitrary GraphQL mutations on behalf of authenticated users without their consent. All versions from 17.10 before 18.8.7, versions 18.9 before 18.9.3, and versions 18.10 before 18.10.1 are affected. A public proof-of-concept exploit is available via HackerOne report 3584382, significantly increasing the risk of active exploitation. HIGH 8.1 0.0% 61
PoC
CVE-2026-4922 Cross-Site Request Forgery (CSRF) in GitLab CE/EE allows remote unauthenticated attackers to execute GraphQL mutations as authenticated victims through crafted web pages. Affects all versions from 17.0 through 18.11.0, with publicly available exploit code (HackerOne report 3627285). Despite high CVSS 8.1, exploitation requires user interaction (phishing/social engineering) and is not automatable per CISA SSVC framework. No evidence of active exploitation in CISA KEV at time of analysis. Vendor patches released: 18.9.6, 18.10.4, and 18.11.1. HIGH 8.1 0.0% 61
PoC
CVE-2026-5262 Cross-site scripting vulnerability in GitLab's Storybook development environment allows remote unauthenticated attackers to steal access tokens via crafted user interaction. Affects GitLab CE/EE versions 16.1.0 through 18.9.5, 18.10 through 18.10.3, and 18.11.0. Publicly available exploit code exists (HackerOne report 3574642), though CISA SSVC indicates no confirmed active exploitation at time of analysis. CVSS 8.0 reflects high confidentiality and integrity impact with scope change, but CVSS vector AC:H (high complexity) and UI:R (user interaction required) indicate exploitation requires targeted social engineering rather than automated mass exploitation. HIGH 8.0 0.0% 60
PoC
CVE-2026-5816 Cross-site scripting (XSS) in GitLab CE/EE versions 18.10.0-18.10.3 and 18.11.0 enables unauthenticated attackers to execute arbitrary JavaScript in victim browser sessions via improper path validation. GitLab disclosed this vulnerability with publicly available exploit code (HackerOne report 3572231), though CISA SSVC indicates no active exploitation confirmed at time of analysis. CVSS 8.0 reflects the changed scope (S:C) allowing impact beyond the vulnerable component, though High attack complexity (AC:H) and required user interaction (UI:R) limit ease of exploitation. Patched in versions 18.10.4 and 18.11.1. HIGH 8.0 0.0% 60
PoC
CVE-2026-2995 Improper HTML sanitization in GitLab EE versions 15.4-18.10.1 allows authenticated users to add email addresses to arbitrary user accounts, potentially enabling account takeover or unauthorized access escalation. Public exploit code exists for this vulnerability, and no patch is currently available. Affected deployments should implement access controls to restrict user modification privileges until updates become available. HIGH 7.7 0.0% 59
PoC
CVE-2026-7250 Denial of service in GitLab CE/EE versions 12.10 through 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 allows unauthenticated remote attackers to crash or degrade the API request parsing middleware via malformed input. Publicly available exploit code exists (HackerOne report 3671995), and the CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/A:H) reflects trivially-reachable, no-auth exploitation against any internet-exposed GitLab instance. No CISA KEV listing at time of analysis. HIGH 7.5 0.0% 58
PoC
CVE-2026-3988 GitLab CE/EE contains a denial of service vulnerability in GraphQL request processing due to improper input validation (CWE-407). All versions from 18.5 through 18.8.6, 18.9 through 18.9.2, and 18.10 before 18.10.1 are affected. An unauthenticated attacker can remotely exploit this with low complexity to render GitLab instances unresponsive, and a public proof-of-concept exploit is available via HackerOne report 3597342. HIGH 7.5 0.0% 58
PoC
CVE-2026-2745 GitLab CE/EE versions 7.11 through 18.10 contain an authentication bypass vulnerability in the WebAuthn two-factor authentication implementation due to inconsistent input validation, allowing unauthenticated attackers to gain unauthorized access to user accounts. The vulnerability affects a wide version range spanning multiple releases (7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1). A proof-of-concept exploit is publicly available, and while the CVSS score of 6.8 indicates moderate severity, the authentication bypass nature and active exploit availability represent a significant real-world threat to GitLab deployments. MEDIUM 6.8 0.0% 54
PoC
CVE-2026-1724 GitLab EE contains an improper access control vulnerability that allows unauthenticated users to retrieve API tokens for self-hosted AI models without authentication. The vulnerability affects GitLab versions 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1, impacting any organization running these versions with AI model integrations. With a CVSS score of 6.8 and publicly available proof-of-concept code, this represents a significant credential exposure risk requiring immediate patching. MEDIUM 6.8 0.0% 54
PoC
CVE-2026-1322 OAuth scope enforcement bypass in GitLab CE/EE allows an authenticated user holding a read_api-scoped OAuth token to perform unauthorized write operations - specifically creating issues and adding comments - in private projects. Affected are all GitLab Community and Enterprise Edition installations from version 16.0 up to the patched releases 18.9.7, 18.10.6, and 18.11.3. A publicly available proof-of-concept exists, and while EPSS probability is extremely low (0.01%, 1st percentile) with no CISA KEV listing, the integrity impact is rated High given the ability to inject content into private project issue trackers. MEDIUM 6.8 0.0% 54
PoC
CVE-2026-1660 Denial of service in GitLab CE/EE versions 12.3 through 18.11.0 allows authenticated users to trigger excessive resource consumption during issue import operations due to improper input validation on user-supplied data. The vulnerability affects all minor versions from 12.3 onwards until patched versions 18.9.6, 18.10.4, and 18.11.1. Publicly available exploit code exists, and CISA SSVC assessment indicates the vulnerability is exploitable but not automatable at scale. MEDIUM 6.5 0.1% 53
PoC

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy