GitLab Security Update \u2013 Patch for XSS and API DoS Vulnerabilities
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
GitLab has released urgent security updates for its Community Edition (CE) and Enterprise Edition (EE) to address a wide range of vulnerabilities.<\/p>\n
The newly released versions 18.9.2, 18.8.6, and 18.7.6 fix a total of 15 security issues, including critical Cross-Site Scripting (XSS) and Denial-of-Service (DoS) flaws.<\/a><\/p>\n Administrators of self-managed instances are strongly urged to apply these patches immediately to maintain good security hygiene and protect their environments.\u200b<\/p>\n The most critical issue addressed in this release is CVE-2026-1090, a high-severity XSS vulnerability with a CVSS score of 8.7.<\/p>\n This flaw exists in GitLab\u2019s Markdown placeholder<\/a> processing when the Markdown placeholders feature flag is enabled.<\/p>\n An authenticated attacker can bypass proper sanitization checks to inject malicious JavaScript into a victim\u2019s browser, potentially leading to unauthorized actions or session hijacking.<\/p>\n Additionally, GitLab patched three high-severity DoS vulnerabilities that could allow unauthenticated attackers to disrupt critical services.<\/p>\n A flaw in the GraphQL API<\/a> allows specially crafted requests to cause uncontrolled recursion and resource exhaustion. Malicious requests sent to the repository archive endpoints can also trigger a denial-of-service attack under specific conditions.<\/p>\n Furthermore, improper validation of JSON payloads<\/a> in the protected branches API can be easily exploited to crash the service. Beyond the high-severity issues, this update resolves several medium and low-severity bugs.<\/p>\n Notable fixes include addressing DoS risks in webhook custom headers<\/a> (CVE-2025-13690) and webhook endpoints (CVE-2025-12576).<\/p>\n The patch also neutralizes\u00a0improper<\/a><\/span> CRLF sequences <\/a>(CVE-2026-3848) and fixes access control issues in the runners API (CVE-2025-12555), which could have allowed unauthorized access to previous pipeline job information.<\/p>\n Information disclosure bugs affecting confidential issues were also successfully remediated. The security update addresses several specific CVEs that administrators should track.<\/p>\n CVE-2026-1090 is a high-severity cross-site scripting flaw in Markdown placeholder processing with a CVSS score of 8.7.<\/p>\n There are also three high-severity denial-of-service vulnerabilities, each with a CVSS score of 7.5: CVE-2026-1069 affects the GraphQL API, CVE-2025-13929 impacts the repository archive endpoint, and CVE-2025-14513 targets the protected branches API.<\/p>\n Furthermore, the patch resolves two medium-severity denial-of-service issues, both scoring 6.5 on the CVSS scale, involving webhook custom headers (CVE-2025-13690) and the webhook endpoint (CVE-2025-12576).<\/p>\n To ensure continuous service and data protection, organizations must take immediate action. Update all self-managed GitLab CE and EE installations<\/a> to versions 18.9.2, 18.8.6, or 18.7.6.<\/p>\n Single-node instances will experience brief downtime during the upgrade as database migrations complete. In contrast, multi-node setups can utilize zero-downtime upgrade procedures.<\/p>\n Users on GitLab.com and GitLab Dedicated are already running the patched versions and require no administrative action. Detailed vulnerability reports will be made public on GitLab\u2019s issue tracker 30 days after this patch release.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post GitLab Security Update \u2013 Patch for XSS and API DoS Vulnerabilities<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\nGitLab<\/strong> Vulnerabilities Patched<\/strong>
\n<\/h2>\n