Developer Tools

In GitLab CE/EE versions from 18.6 up to but not including 18.6.4, 18.7 up to but not including 18.7.2, and 18.8 up to but not including 18.8.2 a high severity vulnerability CVE-2026-0723 was detected. This vulnerability allows an attacker with prior knowledge of a victim’s credential ID to bypass two-factor authentication by submitting forged device responses, due to an unchecked return value. To address this issue, users should upgrade GitLab to versions 18.6.4, 18.7.2, 18.8.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0723.

In GitLab CE/EE versions from 17.7 up to but not including 18.6.4, 18.7 up to but not including 18.7.2, and 18.8 up to but not including 18.8.2 a high severity vulnerability CVE-2025-13928 was detected. This vulnerability allows unauthenticated attackers to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints. To address this issue, users should upgrade GitLab to versions 18.6.4, 18.7.2, 18.8.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13928.

In GitLab CE/EE versions from 11.9 up to but not including 18.6.4, 18.7 up to but not including 18.7.2, and 18.8 up to but not including 18.8.2 a high severity vulnerability CVE-2025-13927 was detected. This vulnerability allows unauthenticated attackers to create a denial of service condition by sending crafted requests containing malformed authentication data, due to improper allocation of resources without limits or throttling. To address this issue, users should upgrade GitLab CE/EE to versions 18.6.4, 18.7.2, 18.8.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13927.

In Backstage and the @backstage/backend-defaults package versions prior to 0.12.2, 0.13.2, 0.14.1, and 0.15.0 a low severity vulnerability CVE-2026-24048 was detected. This vulnerability allows attackers who control an allowed external host to perform Server-Side Request Forgery (SSRF) by abusing automatic HTTP redirect handling in the FetchUrlReader component, enabling access to internal or sensitive URLs that are not explicitly allowlisted. To address this issue, users should upgrade @backstage/backend-defaults to versions 0.12.2, 0.13.2, 0.14.1, 0.15.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24048.

In Backstage using the @backstage/backend-plugin-api package versions prior to 0.1.17 a medium severity vulnerability CVE-2026-24047 was detected. This vulnerability allows attackers to bypass path traversal protections by abusing improperly validated symlink chains or dangling symlinks in the resolveSafeChildPath utility, potentially enabling file operations to access or modify files outside of intended directories. To address this issue, users should upgrade @backstage/backend-plugin-api to version 0.1.17 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24047.

In Backstage versions prior to @backstage/backend-defaults 0.12.2, 0.13.2, 0.14.1, and 0.15.0; @backstage/plugin-scaffolder-backend 2.2.2, 3.0.2, and 3.1.1; and @backstage/plugin-scaffolder-node 0.11.2 and 0.12.3 a high severity vulnerability CVE-2026-24046 was detected. This vulnerability allows attackers with permission to create or execute Scaffolder templates to exploit symlink-based path traversal issues to read arbitrary files, delete files outside the workspace, or write files to unintended locations via vulnerable Scaffolder actions and archive extraction utilities. To address this issue, users should upgrade @backstage/backend-defaults to versions 0.12.2, 0.13.2, 0.14.1, 0.15.0, @backstage/plugin-scaffolder-backend to versions 2.2.2, 3.0.2, 3.1.1 and @backstage/plugin-scaffolder-node to versions 0.11.2 or 0.12.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24046.

In GitLab CE/EE versions from 17.1 before 18.6.4, 18.7 before 18.7.2 and 18.8 before 18.8.2 a medium severity vulnerability CVE-2025-13335 was detected. This vulnerability allows an authenticated attacker to cause a denial of service by configuring malformed Wiki documents that bypass cycle detection and trigger an infinite loop with an unreachable exit condition. To address this issue, users should upgrade GitLab to versions 18.6.4, 18.7.2, 18.8.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13335.

In ZITADEL versions prior to 4.9.1 and 3.4.6 a medium severity vulnerability CVE-2026-23511 was detected. This vulnerability allows unauthenticated attackers to enumerate valid user accounts by probing the login interfaces and observing differences when iterating through usernames or user IDs. To address this issue, users should upgrade to ZITADEL versions 4.9.1 or 3.4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23511.

In GitLab CE/EE versions from 15.10 before 18.3.6, 18.4 before 18.4.4 and 18.5 before 18.5.2 a high severity vulnerability CVE-2025-11224 was detected. This vulnerability allows an authenticated attacker to perform stored cross-site scripting attacks due to improper input validation in the Kubernetes proxy functionality, potentially executing malicious scripts in the context of other users’ browsers. To address this issue, users should upgrade GitLab to versions 18.3.6, 18.4.4, 18.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11224.