Skip to content
July 9, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Watchtower
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Vulnerability Report
  • GitLab Urges Immediate Update for Two High-Severity Flaws
  • Vulnerability Report

GitLab Urges Immediate Update for Two High-Severity Flaws

Do Son September 10, 2025 2 minutes read
GitLab Security Update Account Impersonation GitLab Security Update CVE-2026-1090 GitLab vulnerability GitLab vulnerability, GitLab patches
Add Daily CyberSecurity as a preferred source on Google

GitLab has released new versions of its Community and Enterprise Editions to address several security vulnerabilities, including two critical flaws that could be exploited to disrupt services and compromise data.

High-Severity Vulnerabilities

  • CVE-2025-2256: Denial of Service in SAML Responses
    This vulnerability could allow an unauthenticated user to make a GitLab instance unresponsive by sending multiple large SAML responses concurrently. The flaw has been assigned a CVSS score of 7.5. The affected versions include all versions of GitLab CE/EE from 7.12 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2.
  • CVE-2025-6454: Server-Side Request Forgery in Webhook Custom Headers
    This issue could allow an authenticated user to make unintended internal requests within a proxy environment. Attackers could inject crafted sequences into webhook custom headers to exploit this vulnerability. This flaw has a CVSS score of 8.5. All versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 are affected.

Additional Security Fixes

  • CVE-2025-1250: A Denial of Service flaw impacting user-controllable fields, where a specially crafted commit message, merge request description, or note could stall background jobs. The CVSS score is 6.5. This affects all versions from 15.0 before the patched versions.
  • CVE-2025-7337: A Denial of Service issue in endpoint file uploads. An authenticated user with Developer-level access could cause a persistent denial of service by uploading large files. The CVSS score is 6.5. This affects all versions from 7.8 before the patched versions.
  • CVE-2025-10094: A Denial of Service vulnerability in token listing operations. Authenticated users could create tokens with excessively large names, disrupting access to administrative operations. The CVSS score is 6.5. This affects all versions from 10.7 before the patched versions.
  • CVE-2025-6769: An information disclosure issue in runner endpoints. Authenticated users could view administrator-only maintenance notes by accessing runner details through specific interfaces. The CVSS score is 4.3. This affects all versions from 15.1 before the patched versions.

All self-managed GitLab installations are strongly advised to upgrade immediately to versions 18.3.2, 18.2.6, or 18.1.6 to mitigate these risks.

Related Posts:

  • GitLab Releases Security Updates: XSS and Authorization Bypass Flaws Patched
  • GitLab Patches High-Severity Flaws: Update Now to Prevent XSS and Account Takeover
  • GitLab Releases Security Update to Patch XSS and Account Takeover Flaws
  • GitLab Update: High-Severity XSS & Data Exposure Flaws Patched

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • Active SharePoint Spoofing and Legacy Office RCE: CISA Alerts on New KEV Exploits
  • NVIDIA Patches High-Severity Code Injection Flaws in Megatron-LM AI Framework
  • ITScape KVM Escape: Public PoC Exploit Threatens Cloud Hosts
  • Critical Patches Fix Synology Chat Server Vulnerabilities
  • A Single Line of Code: Pre-Auth OpenSSH Flaw Exposes Ubuntu and Debian Servers

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: CVE-2025-2256 CVE-2025-6454 cybersecurity gitlab patch Vulnerability

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
  • CVE-2024-14037CVSS 9.8
    Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2026-8451CVSS 8.8
    Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread if NetScaler ADC or NetScaler Gateway is configured...
    Admin intel📅 Updated: Jul 2, 2026
  • CVE-2026-8037CVSS 9.6
    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to...
    Admin intel📅 Updated: Jul 1, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-5955CVSS 9.8
    Improper neutralization of special elements used in an SQL command ('SQL injection')...
  • CVE-2026-2342CVSS 9.3
    Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in...
  • CVE-2026-15158CVSS 9.8
    The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload...
  • CVE-2026-14245CVSS 9.8
    The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is...
  • CVE-2026-47646CVSS 9.3
    Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics...
  • CVE-2026-54782CVSS 10.0
    CoreWCF is a port of the service side of Windows Communication Foundation...
  • CVE-2026-15113CVSS 9.6
    Use after free in Autofill in Google Chrome on Android prior to...
  • CVE-2026-44024CVSS 9.8
    Fluentd collects events from various data sources and writes them to files,...
  • CVE-2026-53649CVSS 9.6
    # Unauthenticated Cross-Origin Plugin Upload Leads to RCE (Joro ≤ v1.1.0) **Severity:**...
  • CVE-2026-52831CVSS 10.0
    ## Summary Nuclio controller builds a `curl` invocation string for each cron...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • Disclaimer
    • Privacy Policy
    • DMCA NOTICE
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.