CVE-2025-13761
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowe
CVSS
8.0
Alto
EPSS
0.6%
p46
KEV
—
Exploit Today
14
0-100
Publicado: 9 ene 2026 · Última mod.: 15 jul 2026 · CWE-79
0.6%EPSS · 30 días0.6%
2026-06-302026-07-17
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.
- about.gitlab.comhttps://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/
- gitlab.comhttps://gitlab.com/gitlab-org/gitlab/-/issues/582237
- hackerone.comhttps://hackerone.com/reports/3441368
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2025-13761
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2428218
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-13761.json
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2021-252996.1 MED99.9%
——30Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her session cookies or it can be chained with the previous bugs to get one-click remote command execution (RCE) on the Nagios XI server.9dCVE-2021-364506.1 MED99.2%
——30Verint Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the control/my_notifications NEWUINAV parameter.9dCVE-2023-414256.1 MED98.9%
——30Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.9dCVE-2022-330986.1 MED98.8%
——30Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted SVG document, with JavaScript, for a profile picture.9dCVE-2025-441489.8 CRÍ98.8%
——30Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx component13dCVE-2022-365335.4 MED98.5%
——30Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below was discovered to contain a cross-site scripting (XSS) vulnerability.9d