Multiple GitLab Vulnerabilities Allow for Account Takeover and Exploitation of Stored XSS

GitLab has released emergency security patches to address multiple critical vulnerabilities that could allow attackers to perform account takeovers and execute stored cross-site scripting (XSS) attacks. The patches were made available on August 13, 2025, impacting GitLab Community Edition (CE) and Enterprise Edition (EE) across versions 18.2.2, 18.1.4, and 18.0.6. Users are urged to update immediately to these patched versions to prevent potential exploitation. The vulnerabilities affect all GitLab editions, with some issues dating back to version 14.2. Three high-severity XSS vulnerabilities, each with a CVSS score of 8.7, pose significant threats. The most critical flaw, CVE-2025-6186, allows authenticated users to achieve account takeover by injecting malicious HTML content into work item names.

In addition to the XSS vulnerabilities, GitLab has identified permission and authorisation issues that further compound security risks. CVE-2025-8094 highlights an improper handling of permissions in the project API, which could enable authenticated users with maintainer privileges to disrupt other users’ CI/CD pipelines. Several medium-severity vulnerabilities also exist, including CVE-2024-12303, which involves incorrect privilege assignment in delete issues operations, and CVE-2024-10219, which pertains to incorrect authorisation in the jobs API, potentially allowing unauthorised access to private artifacts. Users are strongly advised to take immediate action to secure their systems against these vulnerabilities. 

Categories: Security Vulnerabilities, Cross-Site Scripting, Permission and Authorization Issues 

Tags: GitLab, Security Patches, Vulnerabilities, Account Takeover, Cross-Site Scripting, CVE-2025-6186, CVE-2025-7734, CVE-2025-7739, Permissions, Authorization