Critical Unauthenticated Remote Code Execution Flaws Disclosed in GitLab and Apache Commons Text
Authorities warned of critical vulnerabilities in GitLab Community Edition and Enterprise Edition and the Apache Commons Text component that could be exploited remotely over a network. In both cases, the flaws were described as reachable without physical access, requiring no user interaction and no prior authentication, making internet-exposed systems particularly at risk.
The advisories indicate that attackers could target the vulnerable software directly rather than relying on phishing or stolen credentials, raising the likelihood of rapid opportunistic exploitation. Organizations using affected GitLab deployments or applications that include Apache Commons Text were urged to identify exposed assets quickly and prioritize remediation because the weaknesses could enable severe compromise through unauthenticated remote attacks.
Timeline
May 25, 2023
Critical GitLab CE/EE vulnerability disclosed
Traficom published an alert about a critical vulnerability affecting GitLab Community Edition and Enterprise Edition. The synopsis states the issue was remotely exploitable without physical access, user interaction, or authentication.
Oct 18, 2022
Critical Apache Commons Text vulnerability disclosed
Traficom published an alert about a critical vulnerability in the Apache Commons Text component. The synopsis indicates the flaw could be exploited remotely over a network without user interaction or authentication.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
GitLab and Gitea Flaws Prompt Advisories Over Multiple Security Risks
German authorities issued multiple security advisories for **GitLab** and **Gitea**, warning of newly tracked vulnerabilities that affect widely used source code management and DevOps platforms. Two separate dCERT notices flagged **multiple vulnerabilities in GitLab**, indicating more than one security issue requiring administrator attention across the platform. A separate dCERT advisory warned that **Gitea** contains a vulnerability that can **bypass security measures**, raising concern that protections intended to restrict access or enforce policy may be circumvented. While the advisories did not publish technical synopses in the referenced notices, the alerts indicate that organizations using GitLab or Gitea should review vendor guidance, identify affected deployments, and prioritize patching or other mitigations.
1 weeks ago
Critical Remote Code Execution Vulnerability in Apache Commons Text (CVE-2025-46295)
A critical vulnerability, CVE-2025-46295, has been identified in Apache Commons Text, allowing for potential remote code execution when untrusted input is passed into the text-substitution API. The flaw, which affects versions prior to 1.10.0, stems from the abuse of interpolation features that could trigger command execution or access to external resources. Security researchers warn that exploitation of this vulnerability could result in total server takeover if left unpatched, and the issue has been fully addressed in FileMaker Server 22.0.4. Organizations using Apache Commons Text in their applications are urged to update to the latest version to mitigate the risk. The vulnerability has been rated with a CVSS score of 9.8, underscoring its severity and the urgency for remediation. No specific products have been listed as affected yet, but the risk applies broadly to any software leveraging vulnerable versions of the library.
1 months ago
GitLab patches CSRF and XSS flaws enabling token theft and browser-side code execution
GitLab disclosed and remediated three high-severity vulnerabilities in GitLab CE/EE that could be exploited by unauthenticated attackers under certain conditions. **CVE-2026-4922** is a cross-site request forgery flaw (`CWE-352`) that could let an attacker trigger GraphQL mutations as an authenticated user, while **CVE-2026-5262** is a cross-site scripting issue (`CWE-79`) that could expose tokens in the Storybook development environment. GitLab also fixed **CVE-2026-5816**, an improper path validation flaw (`CWE-41`) that could allow arbitrary JavaScript execution in a victim’s browser session. The issues affect multiple GitLab CE/EE release lines, with patched versions identified as **18.9.6**, **18.10.4**, and **18.11.1** depending on the flaw. CVE-2026-4922 affects versions from `17.0` before `18.9.6`, `18.10` before `18.10.4`, and `18.11` before `18.11.1`; CVE-2026-5262 affects versions from `16.1.0` before `18.9.6`, `18.10` before `18.10.4`, and `18.11` before `18.11.1`; and CVE-2026-5816 affects `18.10` before `18.10.4` and `18.11` before `18.11.1`. The vulnerabilities carry CVSS v3.1 ratings reflecting high confidentiality and integrity impact, and GitLab linked the disclosures to its patch release notice, internal work items, and HackerOne reports.
1 weeks ago