In GitLab EE versions 18.5 before 18.5.5, 18.6 before 18.6.3 and 18.7 before 18.7.1 a medium severity vulnerability CVE-2025-13781 was detected. This vulnerability allows an authenticated attacker to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations. To address this issue, users should upgrade GitLab EE to versions 18.5.5, 18.6.3, 18.7.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13781.
Read more Developer Tools
In GitLab CE/EE versions 18.6 before 18.6.3 and 18.7 before 18.7.1 a high severity vulnerability CVE-2025-13761 was detected. This vulnerability allows unauthenticated attackers to execute arbitrary code in the context of an authenticated user’s browser by exploiting improper input neutralization and convincing a user to visit a specially crafted webpage. To address this issue, users should upgrade GitLab CE/EE to versions 18.6.3, 18.7.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13761.
Read more Developer Tools
In GitLab CE/EE versions 15.4 before 18.5.5, 18.6 before 18.6.3 and 18.7 before 18.7.1 a medium severity vulnerability CVE-2025-11246 was detected. This vulnerability allows an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations due to insufficient granularity of access control. To address this issue, users should upgrade GitLab CE/EE to versions 18.5.5, 18.6.3, 18.7.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11246.
Read more Developer Tools
In GitLab CE/EE versions from 8.3 before 18.5.5, 18.6 before 18.6.3 and 18.7 before 18.7.1 a medium severity vulnerability CVE-2025-10569 was detected. This vulnerability allows an authenticated user to trigger a denial of service condition by supplying crafted responses to external API calls, exploiting missing limits or throttling on resource allocation. To address this issue, users should upgrade GitLab CE/EE to versions 18.5.5, 18.6.3, 18.7.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10569.
Read more Developer Tools
In GitLab EE versions 18.4 before 18.5.5, 18.6 before 18.6.3 and 18.7 before 18.7.1 a high severity vulnerability CVE-2025-13772 was detected. This vulnerability allows an authenticated attacker to access and use AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests due to missing authorization checks. To address this issue, users should upgrade GitLab EE to versions 18.5.5, 18.6.3, 18.7.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13772.
Read more Developer Tools
In Kanboard versions 1.2.48 and below a medium severity vulnerability CVE-2026-21879 was detected. This vulnerability allows attackers to perform open redirect attacks by abusing protocol-relative URLs (e.g., //evil.com) that bypass URL validation, redirecting authenticated users to attacker-controlled websites. To address this issue, users should upgrade Kanboard to version 1.2.49. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-21879.
Read more Project Management
In OpenLDAP LMDB mdb_load versions 2.6.10 and prior a high severity vulnerability CVE-2026-22185 was detected. This vulnerability allows local attackers to trigger a heap buffer underflow in the readline() function by supplying malformed input, resulting in an out-of-bounds read of heap memory. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22185.
Read more Security
In the Page Keys plugin for WordPress versions up to and including 1.3.3 a medium severity vulnerability CVE-2025-15000 was detected. This vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts via the page_key parameter due to insufficient input sanitization and output escaping, resulting in stored cross-site scripting (XSS). Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-15000.
Read more CMS
In Directus versions before 10.13.0 a medium severity vulnerability CVE-2024-39896 was detected. This vulnerability allows attackers to enumerate existing SSO users in the instance by triggering specific error messages when combining SSO providers with local authentication. To address this issue, users should upgrade to version 10.13.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-39896.
Read more CMS