GitLab Web Interface Vulnerability Allowing Content Mismatch
CVE-2025-12506

3.5LOW

Key Information:

Vendor

Gitlab

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2025-12506?

A flaw in GitLab CE/EE could potentially allow an authenticated user to create a repository where the content viewed in the web interface does not match the content available for download. This discrepancy arises from inadequate handling of Git reference name resolution, which can lead to confusion and exploitation. The issue affects users in specific versions, highlighting the importance of regularly updating software to safeguard against such vulnerabilities.

Affected Version(s)

GitLab 16.5 < 18.11.7

GitLab 19.0 < 19.0.4

GitLab 19.1 < 19.1.2

References

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thanks [shells3c](https://hackerone.com/shells3c) for reporting this vulnerability through our HackerOne bug bounty program
.