• Home
  • cyber
  • GitLab: GitLab Patches Multiple Vulnerabilities Enabling DoS and Cross-Site Scripting Attacks
cyber Vulnerability

GitLab: GitLab Patches Multiple Vulnerabilities Enabling DoS and Cross-Site Scripting Attacks

Feb 11, 2026 2 min read
GitLab: GitLab Patches Multiple Vulnerabilities Enabling DoS and Cross-Site Scripting Attacks

GitLab Releases Critical Security Patches for High-Severity Vulnerabilities

GitLab has issued urgent security updates for its Community Edition (CE) and Enterprise Edition (EE), addressing multiple high-severity vulnerabilities in versions 18.8.4, 18.7.4, and 18.6.6. The patches mitigate risks including denial-of-service (DoS) attacks, cross-site scripting (XSS), and unauthorized data access, which could expose sensitive information like access tokens.

The most critical flaw, CVE-2025-7659 (CVSS 8.0), involves incomplete validation in GitLab’s Web IDE, allowing unauthenticated attackers to steal tokens and access private repositories. Other notable vulnerabilities include CVE-2025-8099 (CVSS 7.5), a DoS risk in GraphQL introspection, and CVE-2026-0958 (CVSS 7.5), which exploits weak JSON validation to exhaust server resources. XSS and injection flaws, such as CVE-2025-14560 (CVSS 7.3), could enable session hijacking or fake content delivery.

Additional risks include DoS in Markdown tools and dashboards, as well as server-side request forgery (SSRF) vulnerabilities that could probe internal networks. GitLab.com users are already protected, but self-managed instances require immediate updates to prevent exploitation. The patches highlight the ongoing threat of automated attacks targeting unpatched systems. Full details are available in GitLab’s release notes.

Source: https://cyberpress.org/gitlab-patches-multiple-vulnerabilities-enabling-dos-and-cross-site-scripting-attacks/

GitLab cybersecurity rating report: https://www.rankiteo.com/company/gitlab-com

"id": "GIT1770804634",
"linkid": "gitlab-com",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Self-managed GitLab instances',
                        'industry': 'Software Development',
                        'name': 'GitLab',
                        'type': 'Company'}],
 'attack_vector': ['Web IDE',
                   'GraphQL Introspection',
                   'JSON Validation',
                   'Markdown Tools',
                   'Dashboards',
                   'SSRF'],
 'data_breach': {'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Access tokens',
                                              'Private repository data']},
 'description': 'GitLab has issued urgent security updates for its Community '
                'Edition (CE) and Enterprise Edition (EE), addressing multiple '
                'high-severity vulnerabilities in versions 18.8.4, 18.7.4, and '
                '18.6.6. The patches mitigate risks including '
                'denial-of-service (DoS) attacks, cross-site scripting (XSS), '
                'and unauthorized data access, which could expose sensitive '
                'information like access tokens. The most critical flaw, '
                'CVE-2025-7659 (CVSS 8.0), involves incomplete validation in '
                'GitLab’s Web IDE, allowing unauthenticated attackers to steal '
                'tokens and access private repositories. Other notable '
                'vulnerabilities include CVE-2025-8099 (CVSS 7.5), a DoS risk '
                'in GraphQL introspection, and CVE-2026-0958 (CVSS 7.5), which '
                'exploits weak JSON validation to exhaust server resources. '
                'XSS and injection flaws, such as CVE-2025-14560 (CVSS 7.3), '
                'could enable session hijacking or fake content delivery. '
                'Additional risks include DoS in Markdown tools and '
                'dashboards, as well as server-side request forgery (SSRF) '
                'vulnerabilities that could probe internal networks. '
                'GitLab.com users are already protected, but self-managed '
                'instances require immediate updates to prevent exploitation.',
 'impact': {'data_compromised': ['Access tokens',
                                 'Private repository data',
                                 'Sensitive information'],
            'operational_impact': ['Potential unauthorized access to private '
                                   'repositories',
                                   'Server resource exhaustion'],
            'systems_affected': ['GitLab Community Edition (CE)',
                                 'GitLab Enterprise Edition (EE)']},
 'post_incident_analysis': {'corrective_actions': ['Security patches released',
                                                   'Immediate updates '
                                                   'recommended'],
                            'root_causes': ['Incomplete validation in Web IDE',
                                            'Weak JSON validation',
                                            'XSS and injection flaws']},
 'recommendations': ['Immediately update self-managed GitLab instances to '
                     'patched versions (18.8.4, 18.7.4, or 18.6.6) to prevent '
                     'exploitation.'],
 'references': [{'source': 'GitLab Release Notes'}],
 'response': {'containment_measures': ['Security patches released for versions '
                                       '18.8.4, 18.7.4, and 18.6.6'],
              'remediation_measures': ['Immediate updates required for '
                                       'self-managed instances']},
 'title': 'GitLab Releases Critical Security Patches for High-Severity '
          'Vulnerabilities',
 'type': ['Vulnerability Exploitation', 'Data Exposure'],
 'vulnerability_exploited': ['CVE-2025-7659',
                             'CVE-2025-8099',
                             'CVE-2026-0958',
                             'CVE-2025-14560']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.