ReDoS via ProjectReferenceFilter in any Markdown fields
ReDoS via AutolinkFilter in any Markdown fields
Regex DoS in Harbor Registry search
Arbitrary read of files owned by the "git" user via malicious tar.gz file upload using GitLab export functionality
Stored XSS in Web IDE Beta via crafted URL
securityPolicyProjectAssign mutation does not authorize security policy project ID
An attacker can run pipeline jobs as arbitrary user
Possible Pages Unique Domain Overwrite
Access tokens may have been logged when a query was made to an endpoint
Reflected XSS via PlantUML diagram
The main branch of a repository with a specially designed name may allow an attacker to create repositories with malicious code
Invalid 'start_sha' value on merge requests page may lead to Denial of Service
Developers can create pipeline schedules on protected branches even if they don't have access to merge
Potential DOS due to lack of pagination while loading license data
Leaking emails of newly created users