GitLab has launched important safety updates for its Group Version (CE) and Enterprise Version (EE) to handle a number of high-severity vulnerabilities.
These patches, detailed within the launch notes for variations 18.8.4, 18.7.4, and 18.6.6, resolve flaws that might enable attackers to steal entry tokens, carry out Denial of Service (DoS) assaults, or inject malicious scripts.
Important Safety Flaws Addressed
The most extreme vulnerability patched on this launch is CVE-2025-7659 (CVSS 8.0), an “Incomplete Validation” problem throughout the Net IDE.
This flaw might enable unauthenticated attackers to steal tokens and entry personal repositories, posing a major danger to mental property and supply code confidentiality.
Moreover, GitLab addressed two high-severity DoS vulnerabilities:
- CVE-2025-8099 (CVSS 7.5): A flaw in GraphQL introspection permitting repeated queries to crash the service.
- CVE-2026-0958 (CVSS 7.5): A middleware problem the place bypassing JSON validation limits might result in reminiscence or CPU exhaustion.
Different high-risk patches embrace fixes for Cross-Web site Scripting (XSS) in Code Move (CVE-2025-14560) and HTML Injection in take a look at case titles (CVE-2026-0595), each of which might allow attackers to execute unauthorized actions or inject malicious content material.
| CVE ID | Vulnerability | Product | CVSS Rating |
|---|---|---|---|
| CVE-2025-7659 | Incomplete Validation in Net IDE | GitLab CE/EE | 8.0 |
| CVE-2025-8099 | DoS in GraphQL introspection | GitLab CE/EE | 7.5 |
| CVE-2026-0958 | DoS in JSON validation middleware | GitLab CE/EE | 7.5 |
| CVE-2025-14560 | XSS in Code Move | GitLab CE/EE | 7.3 |
| CVE-2026-0595 | HTML Injection in take a look at case titles | GitLab CE/EE | 7.3 |
| CVE-2026-1458 | DoS in Markdown processor | GitLab CE/EE | 6.5 |
| CVE-2026-1456 | DoS in Markdown Preview | GitLab CE/EE | 6.5 |
| CVE-2026-1387 | DoS in Dashboard | GitLab EE | 6.5 |
| CVE-2025-12575 | SSRF in Digital Registry | GitLab EE | 5.4 |
| CVE-2026-1094 | Improper Validation in diff parser | GitLab CE/EE | 4.6 |
| CVE-2025-12073 | SSRF in Git repository import | GitLab CE/EE | 4.3 |
| CVE-2026-1080 | Authorization Bypass in iterations API | GitLab EE | 4.3 |
GitLab strongly recommends that each one self-managed installations improve to model 18.8.4, 18.7.4, or 18.6.6 instantly to mitigate these dangers.
GitLab.com has already been patched, and no motion is required for GitLab Devoted prospects.
Directors ought to prioritize these updates given the potential for information theft and repair disruption.
Observe us on Google Information, LinkedIn, and X to Get Prompt Updates and Set GBH as a Most well-liked Supply in Google
