DAST API scanner exposes Authorization headers in vulnerabilities
Group IP allow-list not fully respected by the Package Registry
Deploy keys and tokens may bypass External Authorization service if it is enabled
Repository import still allows to import 40 hexadecimal branches
Webhook secret tokens leaked in webhook logs
Maintainer can leak webhook secret token by changing the webhook URL
Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP
Release names visible in public projects despite release set as project members only
Sidekiq background job DoS by uploading malicious NuGet packages
SSRF in Web Terminal advertise_address