This site offers a simple way to search for advisories in the GitLab Advisory Database. The database contains information about security issues in software dependencies that you might be using in your projects.
GitLab’s Dependency Scanning feature also utilizes this database to scan your application’s dependencies for known vulnerabilities.
A reflected cross site scripting (XSS) vulnerability in XWiki allows an attacker to execute arbitrary actions in XWiki with the rights of the victim if the attacker manages to trick a victim into visiting a crafted URL. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation.
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
Several public API endpoints return email addresses and non‑public records (e.g. open questions with isVisible=false).
Several public API endpoints return email addresses and non‑public records (e.g. open questions with isVisible=false).
Several public API endpoints return email addresses and non‑public records (e.g. open questions with isVisible=false).
Several public API endpoints return email addresses and non‑public records (e.g. open questions with isVisible=false).
A logged‑in user without the dlattachment right can download FAQ attachments. This is due to a permissive permission check in attachment.php that treats the mere presence of a right key as authorization and a flawed group/user logic expression.
A logged‑in user without the dlattachment right can download FAQ attachments. This is due to a permissive permission check in attachment.php that treats the mere presence of a right key as authorization and a flawed group/user logic expression.
This advisory is a duplicate of CVE-2025-43865 and has been removed.
This advisory has been marked as a false positive.
This advisory has been marked as a false positive.
This advisory is a duplicate of CVE-2025-43864 and has been removed.
This advisory has been marked as a false positive.
This advisory has been marked as False Positive and has been removed.
Versions of url-parse before 1.4.3 returns the wrong hostname which could lead to Open Redirect, Server Side Request Forgery (SSRF), or Bypass Authentication Protocol vulnerabilities.
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f78f-353m-cf4j. This link is maintained to preserve external references. Original Description Versions of node-rules prior to 5.0.0 are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an eval call when using the fromJSON function. This may allow attackers to execute arbitrary code in the system if the rules are …