DoS using Webhook connections
CSRF on GraphQL API allows executing mutations through GET requests
Private projects information disclosure
Denial of service of user profile page
Single sign-on users not getting blocked
Some users can push to Protected Branch with Deploy keys
A deactivated user can access data through GraphQL
Reflected XSS in release edit page
Clipboard DOM-based XSS
Stored XSS on Audit Log
Forks of public projects by project members could leak codebase
Improper text rendering
HTML Injection in full name field