Overview CVE-2025-7449 is a medium severity Denial of Service (DoS) vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). This vulnerability impacts versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1. An authenticated user with specific permissions can exploit this vulnerability to cause a DoS condition through malicious HTTP response processing. It is crucial to upgrade your GitLab instance to a patched version to mitigate this risk. Technical Details The vulnerability stems from how GitLab handles HTTP responses. An authenticated user, possessing the necessary privileges (the specifics of which are not fully detailed in the public…

Overview CVE-2025-6195 is a medium severity information disclosure vulnerability affecting GitLab Enterprise Edition (EE). Discovered and patched in late 2025, this vulnerability could allow an authenticated user to potentially view sensitive information contained within security reports, under specific and limited configuration conditions. This issue impacts GitLab EE versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1. Technical Details The vulnerability stems from improper access control checks within the security report functionality of GitLab EE. While the exact details are kept intentionally vague by GitLab to prevent exploitation of unpatched instances, it’s understood that a combination of factors,…

Overview This blog post details a significant security vulnerability, identified as CVE-2025-65670, affecting Classroomio version 0.1.13. This vulnerability is an Insecure Direct Object Reference (IDOR) that allows unauthorized access to sensitive administrative and student data. Technical Details CVE-2025-65670 is an IDOR (Insecure Direct Object Reference) vulnerability. In Classroomio 0.1.13, students can manipulate course IDs within URLs to access admin/teacher-restricted endpoints. This allows them to view sensitive information related to courses, administrators, and other students. The exploit leverages the application’s failure to properly validate user authorization when accessing resources via direct object references. It is reported that the leak occurs briefly…

Overview CVE-2025-65278 is a critical security vulnerability discovered in GroceryMart, specifically affecting the users.json file within commit 21934e6 (dated 2020-10-23). This flaw allows unauthenticated attackers to access sensitive information, including plaintext usernames and passwords, potentially leading to significant security breaches. Technical Details The vulnerability resides in the users.json file of the specified GroceryMart commit. This file contains user account information, which, unfortunately, is stored in plaintext. An attacker who can access this file (e.g., through a misconfigured web server, exposed directory listing, or other means) can retrieve usernames and passwords without any authentication. The vulnerable commit, 21934e6, highlights the need…

Overview A critical security vulnerability, identified as CVE-2025-65276, has been discovered in the open-source HashTech project (version 1.0 up to commit 5919decaff2681dc250e934814fc3a35f6093ee5, dated 2021-07-02). This flaw allows unauthenticated attackers to gain full administrative access to the HashTech dashboard. This severe issue stems from a lack of proper authentication checks on the /admin_index.php endpoint. Technical Details The root cause of CVE-2025-65276 lies in the absence of authentication mechanisms protecting the /admin_index.php page. This allows any unauthorized user to bypass login procedures and directly access the administrative interface. Specifically, the application fails to verify user credentials before granting access to sensitive administrative…

Overview CVE-2025-50433 describes a critical vulnerability discovered in imonnit.com on April 24, 2025. This vulnerability allows malicious actors to gain escalated privileges and take over arbitrary user accounts through a crafted password reset exploit. Successful exploitation of this flaw could lead to unauthorized access to sensitive data, system compromise, and significant disruption of services. This vulnerability was published on November 26, 2025, and while the CVSS score and severity are currently listed as N/A, the potential impact warrants immediate attention. Technical Details The vulnerability stems from an insecure password reset mechanism. By manipulating parameters within the password reset process, an…

Overview CVE-2025-13611 describes a low-severity vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). This issue, remediated by GitLab, could potentially allow an authenticated user with access to specific logs to obtain sensitive tokens under certain conditions. This vulnerability impacts GitLab versions from 13.2 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1. Technical Details The vulnerability stems from insufficient sanitization of sensitive data within GitLab logs. While the exact conditions required for token exposure are not explicitly detailed, the vulnerability description suggests that an authenticated user with appropriate log access privileges could potentially extract tokens. The core issue…

Overview CVE-2025-12653 describes a security vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) that could allow an unauthenticated user to join arbitrary organizations. This vulnerability affects versions 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1. By manipulating request headers under specific conditions, an attacker could bypass authentication checks and gain unauthorized access to an organization within GitLab. Technical Details The vulnerability stems from insufficient validation of request headers during the organization join process. An unauthenticated user could potentially modify certain headers in a crafted request to impersonate an authorized user or bypass authorization checks altogether. The…

Overview CVE-2025-12571 is a high-severity Denial of Service (DoS) vulnerability affecting GitLab CE/EE. This flaw allows an unauthenticated attacker to disrupt GitLab service availability by sending specifically crafted requests containing malicious JSON payloads. Successful exploitation can render the GitLab instance unusable, impacting development workflows and potentially causing data loss or corruption if not addressed promptly. This vulnerability affects GitLab versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1. Users running these versions are strongly advised to upgrade to a patched version as soon as possible. Technical Details The vulnerability lies in how GitLab processes incoming JSON requests.…

Overview CVE-2025-66028 describes a privilege escalation vulnerability affecting OneUptime, a solution designed for monitoring and managing online services. This vulnerability allows an attacker to potentially gain unauthorized access to the admin dashboard by manipulating the login response. Technical Details The vulnerability lies in the login process of OneUptime versions prior to 8.0.5567. The server response included a parameter called isMasterAdmin. An attacker could intercept the login response and modify the value of this parameter from false to true. By doing so, they could gain access to the admin dashboard interface. It is important to note, however, that even with access…