{"id":10565,"date":"2026-02-11T10:03:42","date_gmt":"2026-02-11T10:03:42","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/11\/gitlab-patches-multiple-vulnerabilities-that-enables-dos-and-cross-site-scripting-attacks\/"},"modified":"2026-02-11T10:03:42","modified_gmt":"2026-02-11T10:03:42","slug":"gitlab-patches-multiple-vulnerabilities-that-enables-dos-and-cross-site-scripting-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/11\/gitlab-patches-multiple-vulnerabilities-that-enables-dos-and-cross-site-scripting-attacks\/","title":{"rendered":"GitLab Patches Multiple Vulnerabilities That Enables DoS and Cross-site Scripting Attacks"},"content":{"rendered":"

GitLab Patches Multiple Vulnerabilities That Enables DoS and Cross-site Scripting Attacks
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical security update has been released for both the Community Edition (CE) and Enterprise Edition (EE) to address multiple high-severity vulnerabilities.<\/p>\n

The patches, available in versions 18.8.4, 18.7.4, and 18.6.6, fix flaws that could allow attackers to crash servers, steal data, or hijack user sessions.<\/p>\n

Security experts urge administrators of self-managed instances to upgrade immediately, noting that GitLab.com has already been patched.\u200b<\/p>\n

The most severe vulnerability, tracked as\u00a0CVE-2025-7659\u00a0(CVSS 8.0), lies in the Web IDE. This flaw involves \u201cincomplete validation,\u201d meaning the system fails to verify who is accessing certain data properly.<\/p>\n

An unauthenticated attacker, someone without a username or password, could exploit this to steal access tokens and view private software repositories.\u200b<\/p>\n

\n\n\n\n\n\n\n\n\n
CVE ID<\/th>\nSeverity<\/th>\nType<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
CVE-2025-7659<\/strong><\/td>\nHigh (8.0)<\/td>\nToken Theft<\/td>\nUnauthenticated access to private tokens via Web IDE.<\/td>\n<\/tr>\n
CVE-2025-8099<\/strong><\/td>\nHigh (7.5)<\/td>\nDoS<\/td>\nService crash via repeated GraphQL queries.<\/td>\n<\/tr>\n
CVE-2026-0958<\/strong><\/td>\nHigh (7.5)<\/td>\nDoS<\/td>\nResource exhaustion via JSON validation bypass.<\/td>\n<\/tr>\n
CVE-2025-14560<\/strong><\/td>\nHigh (7.3)<\/td>\nXSS<\/td>\nmalicious script injection in Code Flow.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

The update also resolves two dangerous Denial-of-Service (DoS) issues<\/a>. In a DoS attack, a hacker tries to overwhelm a system to knock it offline.<\/p>\n

CVE-2025-8099\u00a0(CVSS 7.5) allows attackers to crash the service by sending repeated, complex queries to the GraphQL interface.<\/p>\n

CVE-2026-0958\u00a0(CVSS 7.5) exploits the JSON validation middleware, letting attackers exhaust the server\u2019s memory or CPU.\u200b<\/p>\n

Another major fix addresses\u00a0CVE-2025-14560\u00a0(CVSS 7.3), a Cross-Site Scripting (XSS)<\/a> vulnerability in the \u201cCode Flow\u201d feature. XSS flaws allow attackers to inject malicious scripts into trusted websites.<\/p>\n

In this case, an attacker could hide code that executes when another user views it, potentially allowing them to perform actions on behalf of that victim.\u200b<\/p>\n

GitLab strongly recommends<\/a> that all customers running affected versions upgrade to the latest patch immediately.<\/p>\n

While the update fixes these critical issues, it also addresses several medium-severity bugs, including Server-Side Request Forgery (SSRF) and HTML injection flaws.<\/p>\n

Administrators should be aware that upgrading single-node instances may require brief downtime for database migrations.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post GitLab Patches Multiple Vulnerabilities That Enables DoS and Cross-site Scripting Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

GitLab Patches Multiple Vulnerabilities That Enables DoS and Cross-site Scripting Attacks A critical security update has been released for both the Community Edition (CE) and Enterprise Edition (EE) to address multiple high-severity vulnerabilities. The patches, available in versions 18.8.4, 18.7.4, and 18.6.6, fix flaws that could allow attackers to crash servers, steal data, or hijack […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,2294,2178],"tags":[130],"class_list":["post-10565","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-gitlab","category-security-updates","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10565"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10565"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10565\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}