A number of important fixes, including one critical issue<p><pre><code> [critical] Remote Command Execution via Project Imports
[high] XSS in ZenTao integration affecting self hosted instances without strict CSP
[high] XSS in project settings page
[high] Unallowed users can read unprotected CI variables
[medium] IP allow-list bypass to access Container Registries
[medium] 2FA status is disclosed to unauthenticated users
[medium] Restrict membership by email domain bypass
[medium] IDOR in sentry issues
[medium] Reporters can manage issues in error tracking
[medium] CI variables provided to runners outside of a group's restricted IP range
[medium] Regular Expression Denial of Service via malicious web server responses
[medium] Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint
[low] Unauthorized read for conan repository
[low] Open redirect vulnerability
[low] Group labels are editable through subproject
[low] Release titles visible for any users if group milestones are associated with any project releases</code></pre>