CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-8330
Medium

A vulnerability in GitLab CE/EE allowed sensitive information to be written to application logs due to insufficient filtering in a CI/CD API endpoint. It affects all versions from 9.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1.

CVE-2026-5952
Medium

A vulnerability in GitLab CE/EE due to incorrect authorization checks allows an authenticated user with developer role to bypass package protection rules and overwrite protected Maven package metadata under certain conditions.

CVE-2026-5796
Medium

A vulnerability in GitLab CE/EE allows an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature.

CVE-2026-5309
Medium

An issue in GitLab EE allowed an authenticated user to read or modify another group's virtual registry cleanup policy settings without authorization under certain conditions. Affected versions: 18.6 to 18.11.6, 19.0 to 19.0.3, and 19.1 to 19.1.1.

CVE-2026-3176
Low

An issue was found in GitLab EE that, under certain conditions, could allow an authenticated user with limited permissions to access project information due to insufficient authorization checks. It affects all versions from 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1.

CVE-2026-2238
Medium

A vulnerability in GitLab CE/EE allowed an unauthenticated user to view confidential issue references in public projects under certain conditions due to improper authorization checks. Affected versions: 17.5 to 18.11.6, 19.0 to 19.0.3, and 19.1 to 19.1.1.

CVE-2026-1606
Medium

A vulnerability in GitLab CE/EE allows an authenticated user to conceal content within a Snippet due to improper input validation. The issue affects versions from 14.8 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1.

CVE-2026-13311
High

The vulnerability in shell-quote before version 1.8.5 causes the parse() function to run in O(n^2) time relative to the number of input tokens. An attacker can supply a crafted string that blocks the single-threaded Node.js event loop for an extended period, leading to denial of service (DoS).

CVE-2026-12635
Unknown

A vulnerability in GitLab CE/EE allows an authenticated user with maintainer role to make requests to internal network resources via mirror synchronization due to improper URL validation. Affected versions: from 8.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1.

CVE-2026-12053
High

In GitLab EE, a vulnerability was found that under certain conditions could allow a user to access sensitive information already committed to a project. The issue was due to insufficient output filtering in Duo Workflows.

CVE-2026-11379
Medium

An incorrect authorization issue in DAST site profile management in GitLab EE could allow a user with Developer role to exfiltrate DAST site profile secrets under certain conditions.

CVE-2026-10712
High

A vulnerability in GitLab CE/EE allows an unauthenticated attacker to execute arbitrary JavaScript in a user's browser session due to improper path validation. Affects versions from 18.10 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1.

CVE-2026-10086
High

An issue was discovered in GitLab EE where improper sanitization of user-supplied input could allow an authenticated user with developer-role permissions to execute arbitrary client-side code in the context of another user's session.

CVE-2026-0934
Low

In GitLab EE, a vulnerability was found that under certain conditions allowed an authenticated user with custom role permissions to view, create, or delete protected environment configurations even though CI/CD visibility was disabled for the project.

CVE-2026-2508
Medium

The Gravity Forms Booking plugin for WordPress is vulnerable to time-based SQL Injection via the 'staff_id' parameter in all versions up to and including 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

CVE-2026-12079
Medium

The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the 'orderby' parameter in all versions up to, and including, 5.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

CVE-2026-12077
High

The Dokan Pro plugin for WordPress is vulnerable to time-based SQL Injection via the 'latitude' and 'longitude' parameters in all versions up to and including 5.0.4 due to insufficient escaping and lack of proper query preparation.

CVE-2026-10833
Medium

The Gutenberg Essential Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'configurablePrefix' Block Attribute. This issue affects all versions up to and including 6.1.4 due to insufficient input sanitization and output escaping.

CVE-2026-8662
Low

A Path Traversal vulnerability in the create_archive function of Rapid7 InsightConnect Compression Plugin on Linux allows authenticated attackers to write to unintended file paths via crafted filename input. The impact is limited to file corruption as content cannot be controlled by the attacker.

CVE-2026-8658
Medium

The Tcpdump plugin for Rapid7 InsightConnect on Linux is vulnerable to OS command injection. An authenticated attacker can execute arbitrary commands via the options or filter parameters due to insufficient input sanitization.

PreviousPage 194 of 4563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS