Developer Tools

In GitLab CE/EE versions 17.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 a medium severity vulnerability CVE-2026-1500 was detected. This vulnerability allows an authenticated user to cause a Denial of Service (DoS) condition. This occurs due to uncontrolled resource consumption when the application processes a specially crafted file upload. To address this issue, users should upgrade GitLab CE/EE to versions 18.10.8, 18.11.5, or 19.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1500.

In Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier a medium severity vulnerability CVE-2026-53436 was detected. This vulnerability allows an attacker to perform phishing attacks by tricking users into being redirected to a malicious, attacker-controlled site (Open Redirect). This occurs because the application improperly determines that a redirect URL after login is legitimately pointing back to Jenkins when the URL contains relative path segments (such as ./ or ../). To address this issue, users should upgrade Jenkins to a patched version 2.568 and LTS 2.555.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-53436.

In GitLab CE/EE versions 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 a low severity vulnerability CVE-2026-9694 was detected. This vulnerability allows an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content. This occurs due to improper neutralization in email template processing when handling a specially crafted Service Desk email reply. To address this issue, users should upgrade GitLab CE/EE to versions 18.10.8, 18.11.5, or 19.0.2. For more details, visit https://avd.aquasec.com/nvd/2026/cve-2026-9694.

In Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier a medium severity vulnerability CVE-2026-53438 was detected. This vulnerability allows an attacker to cancel queue items they do not have permission to view. This occurs due to a missing permission check: users possessing the Item/Cancel permission, but lacking the Item/Read permission, are not properly restricted during the queue item cancellation process. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-53438.

In Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier a medium severity vulnerability CVE-2026-53440 was detected. This vulnerability allows an attacker to perform phishing attacks by redirecting users to a malicious, attacker-controlled domain (Open Redirect). This occurs because the “Delegate to servlet container” security realm fails to properly validate the from parameter to ensure it is safe to redirect to after a successful login. To address this issue, users should upgrade Jenkins to a patched version 2.568 or LTS 2.555.3 (or later). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-53440.

In GitLab CE/EE versions 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 a medium severity vulnerability CVE-2026-10733 was detected. This vulnerability allows an authenticated user to cause a Denial of Service (DoS) condition. This occurs due to improper sanitization of user input on the CI/CD Catalog page. To address this issue, users should upgrade GitLab CE/EE to versions 18.10.8, 18.11.5, or 19.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-10733.

In Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier a medium severity vulnerability CVE-2026-53442 was detected. This vulnerability allows an attacker with Item/Extended Read permission, or access to the Jenkins controller file system, to access sensitive information. This occurs because Jenkins fails to encrypt secrets submitted via the POST config.xml API before storing them. As a result, these secrets are saved in plaintext within the job’s config.xml files on the Jenkins controller. To address this issue, users should upgrade Jenkins to a patched version 2.568.0 or later, or LTS 2.555.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-53442.

In GitLab EE versions 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 a high severity vulnerability CVE-2026-10087 was detected. This vulnerability allows an authenticated user with developer-role permissions to execute arbitrary client-side code on behalf of a targeted user, effectively leading to a Cross-Site Scripting (XSS) attack. This occurs due to improper input sanitization within the Analytics Dashboard. To address this issue, users should upgrade GitLab EE to versions 18.10.8, 18.11.5, or 19.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-10087.

In GitLab CE/EE versions 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 a low severity vulnerability CVE-2026-3553 was detected. This vulnerability allows an authenticated user to access confidential issue details under certain conditions, leading to sensitive information disclosure. This occurs due to incorrect authorization checks within the application’s issue tracking system. To address this issue, users should upgrade GitLab CE/EE to versions 18.10.8, 18.11.5, or 19.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-3553.