CyberSecurity News

GitLab Patches Critical DoS & XSS Vulner Multiple Vulnerabilities

GitLab has issued a critical security update for its Community Edition (CE) and Enterprise Edition (EE), addressing multiple high-severity vulnerabilities. The patches, available in versions 18.8.4,...

Jennifer sherman
Jennifer sherman
February 11, 2026 2 Min Read
6 0

GitLab has issued a critical security update for its Community Edition (CE) and Enterprise Edition (EE), addressing multiple high-severity vulnerabilities.

The patches, available in versions 18.8.4, 18.7.4, and 18.6.6, fix flaws that could allow attackers to crash servers, steal data, or hijack user sessions.

Security experts urge administrators of self-managed instances to upgrade immediately, noting that GitLab.com has already been patched.​

The most severe vulnerability, tracked as CVE-2025-7659 (CVSS 8.0), lies in the Web IDE. This flaw involves “incomplete validation,” meaning the system fails to verify who is accessing certain data properly.

An unauthenticated attacker, someone without a username or password, could exploit this to steal access tokens and view private software repositories.​

CVE ID Severity Type Description
CVE-2025-7659 High (8.0) Token Theft Unauthenticated access to private tokens via Web IDE.
CVE-2025-8099 High (7.5) DoS Service crash via repeated GraphQL queries.
CVE-2026-0958 High (7.5) DoS Resource exhaustion via JSON validation bypass.
CVE-2025-14560 High (7.3) XSS malicious script injection in Code Flow.

The update also resolves two dangerous Denial-of-Service (DoS) issues. In a DoS attack, a hacker tries to overwhelm a system to knock it offline.

CVE-2025-8099 (CVSS 7.5) allows attackers to crash the service by sending repeated, complex queries to the GraphQL interface.

CVE-2026-0958 (CVSS 7.5) exploits the JSON validation middleware, letting attackers exhaust the server’s memory or CPU.​

Another major fix addresses CVE-2025-14560 (CVSS 7.3), a Cross-Site Scripting (XSS) vulnerability in the “Code Flow” feature. XSS flaws allow attackers to inject malicious scripts into trusted websites.

In this case, an attacker could hide code that executes when another user views it, potentially allowing them to perform actions on behalf of that victim.​

GitLab strongly recommends that all customers running affected versions upgrade to the latest patch immediately.

While the update fixes these critical issues, it also addresses several medium-severity bugs, including Server-Side Request Forgery (SSRF) and HTML injection flaws.

Administrators should be aware that upgrading single-node instances may require brief downtime for database migrations.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitHackerPatchSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts