CVE-2025-4278
HIGHDescription
An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover.
Is your site exposed to CVE-2025-4278?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| gitlab | gitlab |
| gitlab | gitlab |
References
Frequently Asked Questions
What is CVE-2025-4278? +
How severe is CVE-2025-4278? +
What products are affected by CVE-2025-4278? +
How do I check if I'm vulnerable to CVE-2025-4278? +
Related Vulnerabilities
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover …
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen …
The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a …
PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by …
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. During a recent internal audit, a Cross-Site Scripting …
It is possible to inject HTML code into the page content using the "content" field in the "Application definition" page. …