Urgent Alert: GitLab Issues Critical Security Updates to Combat DoS and Code Injection Threats

ByAdmin April 14, 2026April 14, 2026

GitLab has released urgent security updates (versions 18.10.3, 18.9.5, and 18.8.9) for its Community Edition (CE) and Enterprise Edition (EE). These critical GitLab security updates address high-severity flaws that could enable Denial-of-Service (DoS) and code-injection attacks.

GitLab strongly advises all administrators of self-managed systems to upgrade immediately to protect their instances from these significant vulnerabilities. Applying these GitLab security updates is paramount for maintaining system integrity.

High-Severity Vulnerabilities Addressed in GitLab Security Updates

The latest security release resolves three high-severity bugs that pose significant risks to GitLab environments:

CVE-2026-5173 (CVSS 8.5): An authenticated attacker could execute unintended server-side commands through WebSocket connections due to improper access controls. This vulnerability highlights the importance of timely GitLab security updates.
CVE-2026-1092 (CVSS 7.5): An unauthenticated user could trigger a Denial of Service attack by submitting improperly validated JSON data to the Terraform state lock API.
CVE-2025-12664 (CVSS 7.5): Attackers without an account could cause a DoS condition by overwhelming the server with repeated GraphQL queries.

Medium-Level Vulnerabilities Patched

Alongside the severe issues, GitLab also addressed several medium-level vulnerabilities that could compromise user safety and system stability:

CVE-2026-1516 (CVSS 5.7): An authenticated user could inject malicious code into Code Quality reports, secretly leaking the IP addresses of other users who view the report.
CVE-2026-1403 (CVSS 6.5): Weak validation of CSV files could allow authenticated users to crash background Sidekiq workers during file import.
CVE-2026-4332 (CVSS 5.4): Poor input filtering in analytics dashboards could allow attackers to execute harmful JavaScript code in the browsers of other users.
CVE-2026-1101 (CVSS 6.5): Bad input validation in GraphQL queries could allow an authenticated user to cause a DoS of the entire GitLab instance.

Additional Security Patches and Lower-Severity Fixes

The update also includes several lower-severity patches that resolve data leaks and broken access controls, further enhancing overall GitLab security:

CVE-2026-2619 (CVSS 4.3): Incorrect authorization allowed authenticated users with auditor privileges to modify vulnerability flag data in private projects.
CVE-2025-9484 (CVSS 4.3): An information disclosure bug allowed authenticated users to view other users’ email addresses through specific GraphQL queries.
CVE-2026-1752 (CVSS 4.3): Improper access controls allowed developers to modify protected environment settings.
CVE-2026-2104 (CVSS 4.3): Insufficient authorization checks in CSV exports allowed users to access confidential issues assigned to others.
CVE-2026-4916 (CVSS 2.7): A missing authorization check allows users with custom roles to demote or remove higher-privileged group members.

GitLab emphasizes that all self-managed installations must be upgraded to versions 18.10.3, 18.9.5, or 18.8.9 as soon as possible. These GitLab security updates are crucial for enterprise environments.

Because these updates do not require complex database changes, multi-node deployments can be upgraded without any system downtime. Users hosted on GitLab.com or using GitLab Dedicated are already safe, as the company has applied the patches to its cloud servers.

CISA Directives | Cybersecurity Alerts | Vulnerability Management

Urgent: Critical TrueConf Vulnerability Actively Exploited, CISA Mandates Immediate Patching
ByAdmin April 14, 2026April 14, 2026

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a severe warning, officially adding a critical vulnerability affecting TrueConf software to its Known Exploited Vulnerabilities (KEV) catalog. This alarming development underscores the immediate need for defensive action across federal agencies and private organizations utilizing TrueConf. Tracked as CVE-2026-3502, this security flaw is currently facing active…

Read More Urgent: Critical TrueConf Vulnerability Actively Exploited, CISA Mandates Immediate Patching
Zero-Day Exploits | Browser Security | Cybersecurity

Urgent: Chrome Emergency Patch Deploys Against Active Zero-Day Exploit
ByAdmin April 6, 2026April 6, 2026

Google has issued a critical Chrome emergency patch for its Chrome browser, addressing a severe zero-day vulnerability (CVE-2026-5281) that is currently being actively exploited in the wild. This urgent update brings the Stable channel to version 146.0.7680.177/178 for Windows and Mac, and 146.0.7680.177 for Linux. Users are strongly advised to update their browsers immediately as…

Read More Urgent: Chrome Emergency Patch Deploys Against Active Zero-Day Exploit
Cybersecurity | Phishing | Threat Intelligence

Urgent Warning: Sophisticated Fake Microsoft Teams Attacks Threaten Organizations
ByAdmin April 14, 2026April 14, 2026

Cybercriminals are launching a sophisticated new wave of attacks using fake Microsoft Teams domains. According to recent threat intelligence shared by SEAL Org, hackers are actively tricking corporate users into downloading malicious payloads by mimicking the widely used communication platform. As Microsoft Teams remains an essential tool for remote and hybrid work environments, threat actors…

Read More Urgent Warning: Sophisticated Fake Microsoft Teams Attacks Threaten Organizations
Cybersecurity | Nginx | Vulnerability Alerts

Urgent Warning: Critical Nginx-UI Flaw Explosed, Enabling Full System Compromise
ByAdmin April 6, 2026April 6, 2026

Critical Nginx-UI Flaw (CVE-2026-33026) Exposes Systems to Full Compromise A severe security vulnerability, tracked as CVE-2026-33026, has been disclosed in the Nginx-UI backup restore mechanism. This critical flaw allows threat actors to manipulate encrypted backup archives and inject malicious configurations during the restoration process, putting unpatched deployments at immediate risk of full system compromise. With…

Read More Urgent Warning: Critical Nginx-UI Flaw Explosed, Enabling Full System Compromise
Cybersecurity | Fortinet | Vulnerability | Zero-Day

Urgent Warning: Critical Fortinet FortiClient EMS Zero-Day Actively Exploited
ByAdmin April 14, 2026April 14, 2026

Fortinet has issued an emergency hotfix following the disclosure of a critical zero-day vulnerability in its FortiClient EMS product. This flaw, actively exploited by threat actors in the wild, poses a severe risk to organizations, particularly those with internet-exposed deployments of FortiClient EMS. Understanding the Critical FortiClient EMS Zero-Day Tracked as CVE-2026-35616 and assigned a…

Read More Urgent Warning: Critical Fortinet FortiClient EMS Zero-Day Actively Exploited
Cybersecurity | Enterprise Security | Network Security | Vulnerability

Urgent Warning: Critical F5 BIG-IP APM Flaw Actively Exploited, Thousands at Grave Risk
ByAdmin April 14, 2026April 14, 2026

A critical security flaw in F5’s BIG-IP Access Policy Manager (APM) is currently under active exploitation, leaving thousands of enterprise networks at risk. This vulnerability, officially tracked as CVE-2025-53521, has sparked urgent warnings across the cybersecurity community after its impact was upgraded from a standard Denial-of-Service (DoS) to a severe Remote Code Execution (RCE) flaw….

Read More Urgent Warning: Critical F5 BIG-IP APM Flaw Actively Exploited, Thousands at Grave Risk

High-Severity Vulnerabilities Addressed in GitLab Security Updates

Medium-Level Vulnerabilities Patched

Additional Security Patches and Lower-Severity Fixes

Similar Posts

Cyber Strike News