Gitlab -- Gitlab

Gitlab reports:

Stored XSS in Mermaid when viewing Markdown files
Stored XSS in default branch name
Perform Git actions with an impersonation token even if impersonation is disabled
Tag and branch name confusion allows Developer to access protected CI variables
New subscriptions generate OAuth tokens on an incorrect OAuth client application
Ability to list and delete impersonation tokens for your own user
Pipelines page is partially visible for users that have no right to see CI/CD
Improper email validation on an invite URL
Unauthorised user was able to add meta data upon issue creation
Unauthorized user can trigger deployment to a protected environment
Guest in private project can see CI/CD Analytics
Guest users can create issues for Sentry errors and track their status
Private user email disclosure via group invitation
Projects are allowed to add members with email address domain that should be blocked by group settings
Misleading username could lead to impersonation in using SSH Certificates
Unauthorized user is able to access and view project vulnerability reports
Denial of service in repository caused by malformed commit author