Warning: Multiple high criticality vulnerabilities in GitLab CC/EE, Patch Immediately!

• Last Update: 13/02/2026

    * Affected products:
         → GitLab CE/EE 18.2 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4

    * Type:
         → CWE-346 Origin Validation Error
         → CWE-770 Allocation of Resources Without Limits or Throttling
         → CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') XSS
         → CWE-436 Interpretation Conflict

    * CVE/CVSS:

• CVE-2025-7659: CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)
• CVE-2025-8099: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
• CVE-2025-14560: CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)
• CVE-2025-0595: CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)
• CVE-2025-0958: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Sources

Gitlab advisory

• https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/

Hackerone

• https://hackerone.com/reports/3234976
• https://hackerone.com/reports/3240210
• https://hackerone.com/reports/3461083
• https://hackerone.com/reports/3486862
• https://hackerone.com/reports/3463363

Risks

Gitlab disclosed five high criticality vulnerabilities (CVE-2025-7659, CVE-2025-8099, CVE-2025-14560, CVE-2025-0595, CVE-2025-0958) in their product GitLab CE/EE (Community edition/Enterprise edition).

There is not a publicly available PoC of none of the vulnerabilities, nor is there any proof of exploitation.

Exploiting CVE-2025-7659 or CVE-2025-14560 or CVE-2025-0595 can have a high impact on Confidentiality and Integrity but no impact on the availability of the system.

Exploiting CVE-2025-8099 or CVE-2025-0958 can have a high impact on Availability but no impact on the Confidentiality and the Integrity of the system.

Description

CVE-2025-7659: A remote attacker without any privileges can exploit this origin validation error vulnerability to steal tokens and access private repositories by abusing incomplete validation in the Web IDE.

CVE-2025-8099: A remote attacker without any privilege or user interaction can exploit this vulnerability that stems from unlimited resources allocation, to cause system disruption by means of Denial-of-Service (DoS) by sending repeated GraphQL queries.

CVE-2025-14560: A remote attacker with low privileges and with user interaction can exploit this vulnerability to perform unauthorized actions on behalf of another user by injecting malicious content into vulnerability code flow.

CVE-2025-0595: A remote attacker with low privileges and with user interaction can exploit this vulnerability to add unauthorized email addresses to victim accounts through HTML injection in test case titles.

CVE-2025-0958: A remote attacker without privileges or user interaction can exploit this vulnerability to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits.

For details, please refer to the GitLab advisory.  

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

NVD

• https://nvd.nist.gov/vuln/detail/CVE-2025-7659
• https://nvd.nist.gov/vuln/detail/CVE-2025-8099
• https://nvd.nist.gov/vuln/detail/CVE-2025-14560
• https://nvd.nist.gov/vuln/detail/CVE-2026-0595
• https://nvd.nist.gov/vuln/detail/CVE-2026-0958