Remote Command Execution via GitHub import
Stored XSS via labels color
Content injection via Incidents Timeline description
Lack of length validation in Snippets leads to Denial of Service
Group IP allow-list not fully respected by the Package Registry
Abusing Gitaly.GetTreeEntries calls leads to denial of service
Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags
Regular Expression Denial of Service via special crafted input
Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events
Regex backtracking through the Commit message field
Read repository content via LivePreview feature
Denial of Service via the Create branch API
Denial of Service via Issue preview
IDOR in Zentao integration leaked issue details
Brute force attack may guess a password even when 2FA is enabled