Critical Remote Code Execution Vulnerability in GitBucket Disclosed

Critical remote code execution vulnerability (CVE-2018-25332) affects GitBucket 4.23.1: attackers can exploit weak secret token generation and insecure file upload via the git-lfs endpoint to brute-force a Blowfish key, upload malicious JAR plugins, and execute arbitrary commands; validated by three independent sources and disclosed May 17, 2026 — affected organizations should assess and remediate vulnerable instances immediately.