Vulnerabilities are fixed by GitLab This article explores vulnerability identified cve. . To fix several high-severity vulnerabilities, a critical security update has been made available for both the Community Edition (CE) and Enterprise Edition (EE).

The patches, which address vulnerabilities that could enable attackers to crash servers, steal data, or take over user sessions, are available in versions 18.8.4, 18.7.4, and 18.6.6. Security experts advise self-managed instance administrators to update right away, pointing out that GitLab.com has already received a patch. The Web IDE has the most serious vulnerability, identified as CVE-2025-7659 (CVSS 8.0). This defect is known as "incomplete validation," which occurs when the system does not correctly confirm who is gaining access to particular data.

This could be used to view private software repositories and steal access tokens by an unauthenticated attacker—someone who does not have a username or password.

CVE ID Severity Type Description CVE-2025-7659 High (8.0) Token Theft Unauthorized access to private tokens through Web IDE CVE-2025-8099 High (7.5) DoS Service crash caused by repeated GraphQL queries. High (7.5) DoS Resource Exhaustion through JSON Validation Bypass CVE-2026-0958. Code Flow malicious script injection vulnerability CVE-2025-14560 High (7.3).

Additionally, the update fixes two risky Denial-of-Service (DoS) vulnerabilities. A DoS attack is when a hacker attempts to take down a system by overloading it. By repeatedly submitting intricate queries to the GraphQL interface, attackers can cause the service to crash using CVE-2025-8099 (CVSS 7.5). By taking advantage of the JSON validation middleware, CVE-2026-0958 (CVSS 7.5) allows attackers to use up all of the server's memory or CPU.

Another significant patch fixes the Cross-Site Scripting (XSS) vulnerability in the "Code Flow" feature, CVE-2025-14560 (CVSS 7.3).

Attackers can insert malicious scripts into reliable websites thanks to XSS vulnerabilities. An attacker might be able to carry out actions on behalf of the victim in this situation by concealing code that runs when another user views it. GitLab strongly advises all users of impacted versions to update to the most recent patch right away.

The update addresses a number of medium-severity bugs, such as HTML injection vulnerabilities and Server-Side Request Forgery (SSRF), in addition to these important problems. Administrators should be aware that daily cybersecurity updates for LinkedIn, X, and database migrations may necessitate a brief outage when upgrading single-node instances. To have your stories featured, get in touch with us.