Skip to content
July 19, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Vulnerability Report
  • Urgent GitLab Security Alert: High-Severity Flaws Allow Account Takeover & Code Injection!
  • Vulnerability Report

Urgent GitLab Security Alert: High-Severity Flaws Allow Account Takeover & Code Injection!

Do Son June 12, 2025 2 minutes read
0
GitLab Security, High-Severity Flaws
Add Daily CyberSecurity as a preferred source on Google

GitLab has issued urgent security updates for its Community Edition (CE) and Enterprise Edition (EE), addressing a series of high-severity vulnerabilities that impact self-managed installations. The newly released versions—18.0.2, 17.11.4, and 17.10.8—contain critical fixes, and administrators are strongly advised to upgrade immediately.

“We strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately,” GitLab warned in its advisory.

One of the most severe vulnerabilities fixed in this release is CVE-2025-4278, an HTML injection flaw affecting the GitLab search page. Under specific conditions, attackers could inject malicious HTML content that enables account takeover. The vulnerability affects all versions of GitLab CE/EE starting with 18.0 and prior to 18.0.2.

“GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to achieve account takeover by injecting code into the search page,” the advisory explains.

GitLab also addressed CVE-2025-2254, a cross-site scripting (XSS) vulnerability located in the snippet viewer. This flaw allowed attackers to run malicious scripts in the context of another legitimate user, potentially enabling session hijacking or data theft. The vulnerability affects GitLab CE/EE versions from 17.9 up to—but not including—17.10.8, 17.11.4, and 18.0.2.

A significant issue exclusive to GitLab Ultimate EE was also patched: CVE-2025-5121. This vulnerability could allow an authenticated attacker to inject malicious CI/CD jobs into all future pipelines of any project within an affected GitLab instance. It affects GitLab Ultimate EE versions from 17.11 before 17.11.4 and from 18.0 before 18.0.2.

GitLab has also patched several DoS vulnerabilities that could allow attackers to disrupt services:

  • CVE-2025-0673: Infinite redirect loop causing memory exhaustion
  • CVE-2025-1516: Unbounded webhook token names
  • CVE-2025-1478: Oversized board names
  • CVE-2025-5996: Malicious third-party components

Each of these flaws could be used to prevent legitimate users from accessing GitLab instances, especially in high-availability environments.

Other Notable Fixes

  • CVE-2024-9512: Information disclosure via secondary node sync delays
  • CVE-2025-5195: Authorization bypass revealing sensitive compliance data
  • CVE-2025-5982: Group-level IP restriction bypass

Administrators should upgrade to 18.0.2, 17.11.4, or 17.10.8 immediately. These patches address vulnerabilities affecting GitLab versions going back as far as 2.1.0.

Related Posts:

  • GitLab Releases Security Update to Patch XSS and Account Takeover Flaws
  • Gitlab flaw allows remote attackers to take over user accounts
  • GitLab Remote Command Execution Vulnerability
  • GitLab Remote Code Execution Vulnerability

Related coverage

  • The ‘Must-Patch’ List: CISA Adds Actively Exploited SolarWinds, Ivanti, and Omnissa Flaws to KEV
  • Public Exploit and Details Released for Bad Epoll Root Flaw (CVE-2026-46242)
  • Critical 9.6 CVSS OIDC Flaws in OpenBao Turn “Direct Login” Into a Phishing Trap
  • “Fiber” Optic Failure: Predictable UUIDs Expose Go Web Framework to Hijacking
  • Poisoned Comments: Critical Orval Flaw (CVE-2026-25141) Injects Code
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Account Takeover CI/CD CVE-2025-4278 cybersecurity dos gitlab GitLab CE GitLab EE HTML Injection security update Vulnerability XSS

Leave a Reply Cancel reply

You must be logged in to post a comment.

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2025-71392CVSS 9.4
    SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.