| Stored XSS via Mermaid Prototype Pollution vulnerability |
Cross-site Scripting (XSS) - Stored |
misha98857 |
High |
2021-11-18 |
| ReDoS in syntax highlighting due to Rouge |
Denial of Service |
doyensec |
Medium |
2021-11-15 |
| Use of Ruby Forwardable module and runtime meta-programming may introduce vulnerabilities |
Information Disclosure |
jobert |
Medium |
2021-11-15 |
| Drive-by arbitrary file deletion in the GDK via letter_opener_web gem |
Cross-Site Request Forgery (CSRF) |
vakzz |
Medium |
2021-11-12 |
| Stored XSS in Mermaid when viewing Markdown files |
Cross-site Scripting (XSS) - DOM |
saleemrashid |
High |
2021-10-18 |
| Reporters can upload design to issues using the "Move to" feature |
Privilege Escalation |
maruthi12 |
Medium |
2021-10-18 |
| Stored XSS in markdown via the DesignReferenceFilter |
Cross-site Scripting (XSS) - Stored |
vakzz |
Critical |
2021-10-18 |
| Privilege escalation of "external user" (with maintainer privilege) to internal access through project token |
Privilege Escalation |
joaxcar |
Medium |
2021-10-11 |
| Stored XSS in main page of a project caused by arbitrary script payload in group "Default initial branch name" |
Cross-site Scripting (XSS) - Stored |
joaxcar |
High |
2021-09-15 |
| Guest users can create new test cases |
Privilege Escalation |
maruthi12 |
Medium |
2021-08-30 |
| A deactivated user can access data through GraphQL |
Improper Access Control - Generic |
joaxcar |
Medium |
2021-08-30 |
| A profile page of a user can be denied from loading by appending .html to the username |
Violation of Secure Design Principles |
maruthi12 |
Low |
2021-08-30 |
| When you call your branch the same name as a git hash, it could be checked out by dependents |
Resource Injection |
retroplasma |
Medium |
2021-08-19 |
| Clipboard DOM-based XSS |
Cross-site Scripting (XSS) - DOM |
vovohelo |
Medium |
2021-08-19 |
| CSRF on /api/graphql allows executing mutations through GET requests |
Cross-Site Request Forgery (CSRF) |
az3z3l |
High |
2021-08-02 |
| Stored-XSS in merge requests |
Cross-site Scripting (XSS) - Reflected |
ba5d2d132de8622c890dd60 |
None |
2021-07-19 |
| Stored XSS in custom emoji |
Cross-site Scripting (XSS) - Stored |
ooooooo_q |
High |
2021-07-19 |
| FogBugz import attachment full SSRF requiring vulnerability in *.fogbugz.com |
Server-Side Request Forgery (SSRF) |
ajxchapman |
High |
2021-07-13 |
| Stored-XSS on wiki pages |
Cross-site Scripting (XSS) - Stored |
yvvdwf |
Medium |
2021-07-13 |
| Stored-XSS in merge requests |
Cross-site Scripting (XSS) - Stored |
yvvdwf |
High |
2021-07-13 |
| Stored XSS via Mermaid Prototype Pollution vulnerability |
Cross-site Scripting (XSS) - Stored |
taraszelyk |
High |
2021-07-12 |
| Stored DOM XSS via Mermaid chart |
Cross-site Scripting (XSS) - Stored |
taraszelyk |
High |
2021-07-12 |
| Arbitrary file read during project import |
Path Traversal |
saltyyolk |
Critical |
2021-05-24 |
| Kroki Arbitrary File Read/Write |
Improper Access Control - Generic |
ledz1996 |
High |
2021-05-21 |
| RCE when removing metadata with ExifTool |
Code Injection |
vakzz |
Critical |
2021-05-14 |
| XSS in request approvals |
Cross-site Scripting (XSS) - Stored |
circuit |
Medium |
2021-04-23 |
| RCE via unsafe inline Kramdown options when rendering certain Wiki pages |
Code Injection |
vakzz |
Critical |
2021-04-20 |
| Ability To Delete User(s) Account Without User Interaction |
Misconfiguration |
hx01 |
High |
2021-03-17 |
| XSS on Issue reference numbers |
Cross-site Scripting (XSS) - DOM |
yvvdwf |
Medium |
2020-11-23 |
| CRLF injection & SSRF in git:// protocal lead to arbitrary code execution |
Server-Side Request Forgery (SSRF) |
chromium1337 |
High |
2020-11-23 |
| Unauthorized access to private project security dashboard |
Information Disclosure |
vaib25vicky |
Medium |
2020-11-21 |
| Stored XSS in group issue list |
Cross-site Scripting (XSS) - Stored |
mike12 |
Medium |
2020-11-21 |
| Guest users can change the confidentiality attribute on those issues that have been assigned to them |
Improper Access Control - Generic |
0xwintermute |
Low |
2020-11-09 |
| GitLab-Runner on Windows `DOCKER_AUTH_CONFIG` container host Command Injection |
OS Command Injection |
ajxchapman |
High |
2020-11-04 |
| Instant open redirect on Live preview WEB Ide opening |
Open Redirect |
chaosbolt |
Low |
2020-11-04 |
| SafeParamsHelper::safe_params is not so safe |
Cross-site Scripting (XSS) - Reflected |
vakzz |
High |
2020-11-02 |
| Possibilty to purchase Ultimate - 1 Year (EDU or OSS) |
Business Logic Errors |
steppe |
Low |
2020-11-02 |
| Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ... |
Type Confusion |
ledz1996 |
High |
2020-11-02 |
| Insufficient Type Check on GraphQL leading to Maintainer delete repository |
Improper Access Control - Generic |
ledz1996 |
High |
2020-11-02 |
| Todos are not redacted when membership changes - Access to (confidential) issues and merge requests |
Information Disclosure |
vaib25vicky |
Medium |
2020-11-02 |
| Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result |
Improper Access Control - Generic |
rpadovani |
Medium |
2020-10-06 |
| Elasticsearch leaks data through the notes scope |
Improper Access Control - Generic |
rpadovani |
Medium |
2020-10-06 |
| Ability to bypass email verification for OAuth grants results in accounts takeovers on 3rd parties |
Authentication Bypass Using an Alternate Path or Channel |
cache-money |
High |
2020-10-01 |
| Adding everyone to the repo due to the lack of rate limit |
Insecure Direct Object Reference (IDOR) |
sadd_man |
High |
2020-09-15 |
| Stored XSS in markdown when redacting references |
Cross-site Scripting (XSS) - Stored |
vakzz |
High |
2020-09-09 |
| Stored XSS on PyPi simple API endpoint |
Cross-site Scripting (XSS) - Stored |
vakzz |
Medium |
2020-09-09 |
| SSRF into Shared Runner, by replacing dockerd with malicious server in Executor |
Server-Side Request Forgery (SSRF) |
lucash-dev |
Medium |
2020-09-08 |
| Members from parent group keep their access level on a subgroup transfer and are invisible |
Improper Access Control - Generic |
kryword |
High |
2020-09-08 |
| EXIF metadata not stripped from JPG group logos |
Information Disclosure |
jackb898 |
Low |
2020-09-08 |
| Injection of `http.<url>.*` git config settings leading to SSRF |
Server-Side Request Forgery (SSRF) |
vakzz |
High |
2020-09-08 |
| Stealing data from customers.gitlab.com without user interaction |
Insecure Direct Object Reference (IDOR) |
rpadovani |
High |
2020-08-26 |
| Initial mirror user can be assigned by other user even if the mirror was removed |
Improper Access Control - Generic |
sky003 |
Medium |
2020-08-26 |
| An attacker can run pipeline jobs as arbitrary user |
Business Logic Errors |
u3mur4 |
Critical |
2020-08-26 |
| Privilege escalation from any user (including external) to gitlab admin when admin impersonates you |
Privilege Escalation |
skavans |
Critical |
2020-08-26 |
| Stored XSS in "Create Groups" |
Cross-site Scripting (XSS) - Stored |
rioncool22 |
High |
2020-08-26 |
| SSRF In plantuml (on plantuml.pre.gitlab.com) |
Server-Side Request Forgery (SSRF) |
plazmaz |
Medium |
2020-08-17 |
| Full Read SSRF on Gitlab's Internal Grafana |
Server-Side Request Forgery (SSRF) |
rhynorater |
Critical |
2020-08-07 |
| Stored XSS in blob viewer |
Cross-site Scripting (XSS) - Stored |
yvvdwf |
Medium |
2020-08-04 |
| Unrestricted file upload leads to Stored XSS |
Cross-site Scripting (XSS) - Stored |
semsem123 |
Medium |
2020-08-03 |
| Send arbitrary PUT requests when user clicks on a link |
Command Injection - Generic |
yvvdwf |
Medium |
2020-07-27 |
| gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in `allowed_paths` to be read |
Information Disclosure |
vakzz |
Critical |
2020-06-08 |
| SSRF on project import via the remote_attachment_url on a Note |
Server-Side Request Forgery (SSRF) |
vakzz |
High |
2020-06-08 |
| No redirect_uri in the db for web-internal clientKey leads to one-click DoS on gitter.im |
Denial of Service |
gregxsunday |
Low |
2020-05-15 |
| Arbitrary file read via the UploadsRewriter when moving and issue |
Path Traversal |
vakzz |
Critical |
2020-04-27 |
| Server Side Request Forgery mitigation bypass |
Server-Side Request Forgery (SSRF) |
mclaren650sspider |
High |
2020-04-18 |
| Git flag injection leading to file overwrite and potential remote code execution |
Command Injection - Generic |
vakzz |
Critical |
2019-12-19 |
| Git flag injection - local file overwrite to remote code execution |
Command Injection - Generic |
vakzz |
Critical |
2019-12-19 |
| Cross-site Scripting (XSS) - Stored in RDoc wiki pages |
UI Redressing (Clickjacking) |
vakzz |
High |
2019-12-16 |
| Git flag injection - Search API with scope 'blobs' |
Command Injection - Generic |
vakzz |
High |
2019-12-15 |
| Group search with Elastic search enable leaks unrelated data |
Improper Access Control - Generic |
rpadovani |
High |
2019-12-14 |
| Group search leaks private MRs, code, commits |
Improper Access Control - Generic |
rpadovani |
High |
2019-12-14 |
| Bypass Email Verification using Salesforce -- Reproducible in gitlab.com |
Violation of Secure Design Principles |
ngalog |
High |
2019-12-13 |
| GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery |
Server-Side Request Forgery (SSRF) |
ajxchapman |
High |
2019-12-12 |
| Importing GitLab project archives can replace uploads of other users |
Insecure Direct Object Reference (IDOR) |
ajxchapman |
High |
2019-12-11 |
| GraphQL query "namespace" leaks data |
Improper Access Control - Generic |
rpadovani |
Medium |
2019-12-03 |
| Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests |
Privilege Escalation |
jobert |
Critical |
2019-11-27 |
| DoS attack via comment on Issue |
Denial of Service |
8ayac |
Low |
2019-11-21 |
| Know whether private project name exists or not within a group using link comments |
Information Disclosure |
ashish_r_padelkar |
Low |
2019-10-07 |
| Stored XSS in Wiki pages |
Cross-site Scripting (XSS) - Stored |
ryhmnlfj |
High |
2019-09-02 |
| Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain |
Reliance on Untrusted Inputs in a Security Decision |
ngalog |
Medium |
2019-08-31 |
| Persistent XSS in Note objects |
Cross-site Scripting (XSS) - Stored |
saltyyolk |
High |
2019-07-19 |
| Local files could be overwritten in GitLab, leading to remote command execution |
Command Injection - Generic |
saltyyolk |
Critical |
2019-07-17 |
| Attacker is able to access commit title and team member comments which are supposed to be private |
Improper Access Control - Generic |
yashrs |
High |
2019-07-03 |
| information disclosure of secret_key_base via encoding charcters |
Information Exposure Through an Error Message |
paresh_parmar |
High |
2019-06-14 |
| information disclosure of secret_key_base via encoding charcters |
Information Exposure Through an Error Message |
paresh_parmar |
High |
2019-06-14 |
| information disclosure of secret_key_base via encoding charcters |
Information Exposure Through an Error Message |
paresh_parmar |
High |
2019-06-14 |
| DoS on the Issue page by exploiting Mermaid. |
Denial of Service |
8ayac |
Medium |
2019-05-13 |
| JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions |
Information Disclosure |
jobert |
Critical |
2019-04-20 |
| Full access to internal Gitlab instances at redash.gitlab.com, dashboards.gitlab.com, prometheus.gitlab.com |
Incorrect Authorization |
rijalrojan |
Critical |
2019-04-19 |
| SSRF in CI after first run |
Server-Side Request Forgery (SSRF) |
plazmaz |
Medium |
2019-04-12 |
| Bypass of GitLab CI runner slash fix in YAML validation |
Improper Input Validation |
ngalog |
Critical |
2019-04-10 |
| Unauthenticated blind SSRF in OAuth Jira authorization controller |
Server-Side Request Forgery (SSRF) |
jobert |
High |
2019-03-14 |
| Exfiltrate and mutate repository and project data through injected templated service |
Improper Access Control - Generic |
jobert |
Critical |
2019-03-05 |
| Snippet JS template allows attacker to read a user's private snippets |
Information Disclosure |
jobert |
Low |
2019-03-03 |
| Stored XSS on Issue details page |
Cross-site Scripting (XSS) - Stored |
8ayac |
High |
2018-10-30 |
| Persistent XSS - Deleting a project (No Longer Vulnerable in 10.7) |
Cross-site Scripting (XSS) - Stored |
phillycheeze |
Medium |
2018-09-20 |
| Vulnerability in project import leads to arbitrary command execution |
Command Injection - Generic |
nyangawa |
Critical |
2018-08-22 |
| HTML TAG INJECTION ON PROFILE NAME |
Cross-site Scripting (XSS) - Stored |
rootbakar_ |
Low |
2018-07-27 |
| Potensial SSRF via Git repository URL |
Server-Side Request Forgery (SSRF) |
rootbakar |
Medium |
2018-07-16 |
| Persistent XSS - Selecting users as allowed merge request approvers |
Cross-site Scripting (XSS) - Stored |
phillycheeze |
Medium |
2018-07-16 |
| XSS (Persistent) - Selecting role(s) for protected branches |
Cross-site Scripting (XSS) - Stored |
phillycheeze |
High |
2018-07-16 |
| SSRF when importing a project from a git repo by URL |
Information Disclosure |
strukt |
No rating |
2018-05-30 |
| GitHub import allows user to create child group under existing namespace |
Improper Access Control - Generic |
jobert |
High |
2018-05-24 |
| SSRF vulnerability in gitlab.com webhook |
Server-Side Request Forgery (SSRF) |
wuqidashi |
Medium |
2018-04-30 |
| SQL injection in MilestoneFinder order method |
SQL Injection |
jobert |
Critical |
2018-04-27 |
| GitLab CI runner can read and poison cache of all other projects |
Path Traversal |
jobert |
Critical |
2018-04-27 |
| Evaluating Ruby code by injecting Rescue job on the system_hook_push queue through web hook |
Server-Side Request Forgery (SSRF) |
jobert |
High |
2018-04-27 |
| Command injection by overwriting authorized_keys file through GitLab import |
Command Injection - Generic |
jobert |
Critical |
2018-04-27 |
| Using GitLab to monitor and hijack domains in mass quantity. |
Business Logic Errors |
edoverflow |
High |
2018-02-22 |
| Cookie bomb |
Denial of Service |
moritz30 |
Medium |
2018-02-16 |
| Lack of validation before assigning custom domain names leading to abuse of GitLab pages service |
Phishing |
badshah_ |
Medium |
2018-02-02 |
| SSRF via git Repo by URL Abuse |
Server-Side Request Forgery (SSRF) |
nthack |
Medium |
2017-11-28 |
| SSRF vulnerability in gitlab.com via project import. |
Server-Side Request Forgery (SSRF) |
edoverflow |
Medium |
2017-11-09 |
| [Markdown] Stored XSS via character encoding parser bypass |
Cross-site Scripting (XSS) - Stored |
ysx |
Medium |
2017-10-18 |
| CSRF-Token leak by request forgery |
Cross-Site Request Forgery (CSRF) |
naure |
Medium |
2017-10-09 |
| Race condition in GitLab import, giving access to other people their imports due to filename collision |
Information Disclosure |
jobert |
Low |
2017-10-03 |
| all private tokens are leaked to an unauthenticated attacker |
Privilege Escalation |
rpearl |
Critical |
2017-09-21 |
| Access to GitLab's Slack by abusing issue creation from e-mail |
Improper Authentication - Generic |
intidc |
Critical |
2017-09-21 |
| Impersonation attack via Broken Link in Resellers Page |
Violation of Secure Design Principles |
cdl |
Low |
2017-09-08 |
| Gitlab is vulnerable to impersonation attacks due to broken links |
Violation of Secure Design Principles |
b3nac |
Low |
2017-09-06 |
| CSV injection in gitlab.com via issues export feature. |
Command Injection - Generic |
edoverflow |
Medium |
2017-07-21 |
| Missing/Breach of Internal Security Boundary - Access to Job Queue Results in Remote Code Execution |
Violation of Secure Design Principles |
pruby |
Low |
2017-06-28 |
| GFM renderer leaks external issue tracker URL of private project |
Information Disclosure |
jobert |
No rating |
2017-06-09 |
| Gitlab.com is vulnerable to reverse tabnabbing. (#2) |
UI Redressing (Clickjacking) |
edoverflow |
Medium |
2017-05-09 |
| Gitlab.com is vulnerable to reverse tabnabbing via AsciiDoc links. (#3) |
UI Redressing (Clickjacking) |
edoverflow |
Medium |
2017-05-09 |
| Stored XSS on Files overview by abusing git submodule URL |
Cross-site Scripting (XSS) - Stored |
jobert |
High |
2017-05-09 |
| Markdown based stored XSS (IE only) |
Cross-site Scripting (XSS) - Generic |
a0xnirudh |
No rating |
2017-05-04 |
| CSRF Token Bypass in Account Deletion |
Cross-Site Request Forgery (CSRF) |
7h0r4pp4n |
Low |
2017-04-20 |
| Unfiltered `class` attribute in markdown code |
Cross-site Scripting (XSS) - DOM |
chalker |
Medium |
2017-04-13 |
| Open redirect |
Open Redirect |
eadz |
Medium |
2017-04-06 |
| [Repository Import] Open Redirect via "continue[to]" parameter |
Open Redirect |
ysx |
Medium |
2017-04-06 |
| [Subgroups] Unprivileged User Can Disclose Private Group Names |
Insecure Direct Object Reference (IDOR) |
ysx |
Medium |
2017-03-30 |
| Gitlab.com is vulnerable to reverse tabnabbing. |
Open Redirect |
edoverflow |
Low |
2017-03-21 |
| [reStructuredText] XSS in project README files |
Cross-site Scripting (XSS) - Generic |
ysx |
Medium |
2017-02-15 |
| [Textile] XSS in project README files |
Cross-site Scripting (XSS) - Generic |
ysx |
Medium |
2017-02-15 |
| [RDoc] XSS in project README files |
Cross-site Scripting (XSS) - Generic |
ysx |
Medium |
2017-02-15 |
| Users can download old project exports due to unclaimed namespace |
Information Disclosure |
jobert |
Medium |
2017-01-24 |
| Every user can delete public deploy keys |
Privilege Escalation |
jobert |
Medium |
2017-01-24 |
| User with guest access can access private merge requests |
Privilege Escalation |
jobert |
Medium |
2017-01-24 |
| Users with guest access can post notes to private merge requests, issues, and snippets |
Privilege Escalation |
jobert |
Medium |
2017-01-24 |
| Mailgun misconfiguration leads to email snooping and postmaster@-access on email.mg.gitlab.com |
Privilege Escalation |
fransrosen |
No rating |
2016-12-06 |
| State filter in IssuableFinder allows attacker to delete all issues and merge requests |
Privilege Escalation |
jobert |
High |
2016-12-06 |
| Ability to access all user authentication tokens, leads to RCE |
Privilege Escalation |
jobert |
Critical |
2016-11-03 |
| Read files on application server, leads to RCE |
Information Disclosure |
jobert |
Critical |
2016-11-03 |
| Insecure 2FA/authentication implementation creates a brute force vulnerability |
Violation of Secure Design Principles |
yaworsk |
No rating |
2016-10-28 |
| Boards leak private label names and desciptions |
Information Disclosure |
jobert |
No rating |
2016-09-02 |
| XSS On meta tags in profile page |
Cross-site Scripting (XSS) - Generic |
plazmaz |
No rating |
2016-08-21 |
| Attacker can extract list of private project's project members |
Information Disclosure |
jobert |
No rating |
2016-08-01 |
| Persistent XSS on public wiki pages |
Cross-site Scripting (XSS) - Generic |
jobert |
No rating |
2016-07-27 |
| Privilege escalation to access all private groups and repositories |
Privilege Escalation |
jobert |
No rating |
2016-07-27 |
| Attacker can delete (and read) private project webhooks |
Privilege Escalation |
jobert |
No rating |
2016-05-03 |
| Attacker can post notes on private MR, snippets, and issues |
Privilege Escalation |
jobert |
No rating |
2016-05-03 |
| Confidential issues leaked in public projects when attached to milestone |
Information Disclosure |
jobert |
No rating |
2016-05-03 |
| Private snippets in public / internal projects leaked though GitLab API |
Information Disclosure |
jobert |
No rating |
2016-05-03 |
| Persistent XSS on public project page |
Cross-site Scripting (XSS) - Generic |
jobert |
No rating |
2016-05-03 |
| Labels created in private projects are leaked |
Information Disclosure |
jobert |
No rating |
2016-05-03 |
| Bypassing password authentication of users that have 2FA enabled |
Improper Authentication - Generic |
jobert |
No rating |
2016-04-18 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles