Developer Tools

In GitLab CE/EE versions 8.0 up to but not including 18.6.6, 18.7 up to but not including 18.7.4, and 18.8 up to but not including 18.8.4 a medium severity vulnerability CVE-2026-1458 was detected. This vulnerability allows unauthenticated attackers to cause a denial-of-service condition by uploading malicious files due to the allocation of resources without limits or throttling. To address this issue, users should upgrade GitLab CE/EE to versions 18.6.6, 18.7.4, 18.8.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1458.

In GitLab CE/EE versions 18.7 up to but not including 18.7.4 and 18.8 up to but not including 18.8.4 a high severity vulnerability CVE-2026-1456 was detected. This vulnerability allows unauthenticated attackers to cause a denial-of-service through CPU exhaustion by submitting specially crafted Markdown files that trigger exponential processing in the Markdown preview. To address this issue, users should upgrade GitLab CE/EE to versions 18.7.4, 18.8.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1456.

In GitLab EE versions 15.6 up to but not including 18.6.6, 18.7 up to but not including 18.7.4 and 18.8 up to but not including 18.8.4 a medium severity vulnerability CVE-2026-1387 was detected. This vulnerability allows authenticated attackers to cause a denial-of-service condition by uploading a malicious file and repeatedly querying it through GraphQL due to allocation of resources without limits or throttling. To address this issue, users should upgrade GitLab EE to versions 18.6.6, 18.7.4, 18.8.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1387.

In Gogs versions up to and including 0.13.3 a critical severity vulnerability CVE-2025-64175 was detected. This vulnerability allows attackers to bypass two-factor authentication due to improper scoping of 2FA recovery codes by user, enabling cross-account reuse of valid recovery codes and resulting in full account takeover when a victim’s credentials are known. To address this issue, users should upgrade Gogs to versions 0.13.4, 0.14.0+dev or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-64175.

In Gogs versions up to and including 0.13.3 a high severity vulnerability CVE-2026-24135 was detected. This vulnerability allows authenticated users with write access to a repository’s wiki to exploit a path traversal issue in the `updateWikiPage` function by manipulating the `old_title` parameter, enabling deletion of arbitrary files on the server. To address this issue, users should upgrade Gogs to versions 0.13.4, 0.14.0+dev, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-24135.

In Gogs versions up to and including 0.13.3 a high severity vulnerability CVE-2026-23633 was detected. This vulnerability allows attackers to exploit a path traversal issue in Git hook editing, enabling arbitrary file read and write operations on the server. To address this issue, users should upgrade Gogs to versions 0.13.4, 0.14.0+dev, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23633.

In Gogs versions up to and including 0.13.3 a medium severity vulnerability CVE-2026-23632 was detected. This vulnerability allows attackers with read-only repository permissions to modify repository contents due to missing write permission enforcement in the `PUT /repos/:owner/:repo/contents/*` endpoint, resulting in unauthorized commit creation and git push execution. To address this issue, users should upgrade Gogs to versions 0.13.4, 0.14.0+dev, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23632.

In Gogs versions up to and including 0.13.3 a medium severity vulnerability CVE-2026-22592 was detected. This vulnerability allows authenticated users to trigger a denial-of-service condition by deleting a repository file prior to synchronization, causing the application to crash. To address this issue, users should upgrade Gogs to versions 0.13.4, 0.14.0+dev, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22592.

In GitLab CE/EE versions from 12.3 up to but not including 18.6.4, 18.7 up to but not including 18.7.2, and 18.8 up to but not including 18.8.2 a medium severity vulnerability CVE-2026-1102 was detected. This vulnerability allows unauthenticated attackers to create a denial of service condition by sending repeated malformed SSH authentication requests, due to improper allocation of resources without adequate limits or throttling. To address this issue, users should upgrade GitLab to versions 18.6.4, 18.7.2, 18.8.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1102.