Remote Command Execution via Project Imports
XSS in ZenTao integration affecting self hosted instances without strict CSP
XSS in project settings page
Unallowed users can read unprotected CI variables
IP allow-list bypass to access Container Registries
2FA status is disclosed to unauthenticated users
CI variables provided to runners outside of a group's restricted IP range
IDOR in sentry issues
Reporters can manage issues in error tracking
Regular Expression Denial of Service via malicious web server responses
Unauthorized read for conan repository
Open redirect vulnerability
Group labels are editable through subproject
Release titles visible for any users if group milestones are associated with any project releases
Restrict membership by email domain bypass
Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint