Critical security patches on December 10, 2025, addressing ten significant vulnerabilities across its Community Edition and Enterprise Edition platforms.
GitLab has released updated versions 18.6.2, 18.5.4, and 18.4.6 to address multiple high-severity security issues.
High-Severity Threats Identified
Four vulnerabilities received high-severity ratings and require immediate remediation.
The vulnerability landscape includes four high-severity flaws, five medium-severity issues, and one low-severity vulnerability.
Four of the critical issues involve cross-site scripting (XSS) attacks and improper encoding that could allow unauthorized actions on behalf of other users.
| CVE ID | Vulnerability Type | CVSS Score |
|---|---|---|
| CVE-2025-12716 | Cross-site Scripting (XSS) | 8.7 |
| CVE-2025-8405 | Improper Encoding / HTML Injection | 8.7 |
| CVE-2025-12029 | Cross-site Scripting (XSS) | 8.0 |
| CVE-2025-12562 | Denial of Service (DoS) | 7.5 |
| CVE-2025-11984 | Authentication Bypass | 6.8 |
| CVE-2025-4097 | Denial of Service (DoS) | 6.5 |
| CVE-2025-14157 | Denial of Service (DoS) | 6.5 |
| CVE-2025-11247 | Information Disclosure | 4.3 |
| CVE-2025-13978 | Information Disclosure | 4.3 |
| CVE-2025-12734 | HTML Injection | 3.5 |
GitLab strongly recommends all self-managed installations upgrade immediately, as GitLab.com already runs the patched version.
The most severe vulnerabilities include a cross-site scripting flaw in Wiki functionality and improper encoding in vulnerability reports, both with a CVSS score of 8.7.