Gitlab
| Year | Title | Severity | Report |
|---|
| 2023 | Stored-XSS injected in Wiki page via Banzai pipeline | 🟠 High 8.7 | link |
| 2022 | Stored XSS in Notes (with CSP bypass for gitlab.com) | 🟠 High 8.7 | link |
| Stored XSS via Kroki diagram | 🟠 High 8.7 | link |
| Stored-XSS with CSP-bypass via labels’ color | 🟠 High 8.7 | link |
| Bypass: Stored-XSS with CSP-bypass via scoped labels’ color | 🟠 High 8.7 | link |
| XSS in ZenTao integration affecting self hosted instances without strict CSP | 🟠 High 8.7 | link |
| XSS: v-safe-html is not safe enough | 🟠 High 8.7 | link |
| CSP-bypass XSS in project settings page | 🟠 High 8 | link |
| 2021 | Stored XSS on issue comments and other pages which contain notes | 🟠 High 8.7 | link |
| XSS by clicking Jira’s link | 🟡 Medium 5.8 | link |
| 2019 | Stored XSS in merge request pages | 🟠 High (7 - 8.9) | link |
| Stored XSS for Grafana dashboard URL | 🟠 High (7 - 8.9) | link |