Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to inject HTML and JavaScript into email notifications sent to other users due to improper input sanitization.
Published: 2026-05-14
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab has identified a code injection vulnerability in its email notification system that allows an authenticated user to inject malicious HTML and JavaScript; the flaw arises from insufficient sanitization of user‑supplied input rendered in outgoing emails, enabling the attacker to deliver arbitrary JavaScript to recipients and potentially conduct phishing or cross‑site scripting attacks—CWE‑94.

Affected Systems

The vulnerability affects GitLab Community Edition and Enterprise Edition instances. All versions from 15.11 up to but not including 18.9.7, from 18.10 up to but not including 18.10.6, and from 18.11 up to but not including 18.11.3 are impacted. The affected product is generally referred to as GitLab.

Risk and Exploitability

The CVSS score is 5.4, indicating a medium severity impact. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, so current exploit activity is unknown. The attack requires an authenticated user with permission to post content that will be included in email notifications. Once exploited, the attacker can compromise the confidentiality and integrity of the email content, potentially leading to phishing and credential theft. While the risk is moderate, the lack of public exploit evidence means the threat remains primarily theoretical at this time.

Generated by OpenCVE AI on May 14, 2026 at 07:20 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab CE or EE to release 18.9.7, 18.10.6, 18.11.3, or newer versions.
  • Apply the same patch to any custom or unofficial GitLab distributions that may contain the same code path.
  • Ensure that all email templates are sanitized and disable any custom content that could be injected by authenticated users.
  • Remove or restrict the privileges of users who can post content that triggers email notifications.

Generated by OpenCVE AI on May 14, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 03:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to inject HTML and JavaScript into email notifications sent to other users due to improper input sanitization.
Title Improper Control of Generation of Code ('Code Injection') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-94
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-14T17:47:03.748Z

Reserved: 2025-11-03T21:33:31.186Z

Link: CVE-2025-12669

cve-icon Vulnrichment

Updated: 2026-05-14T17:46:59.537Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:19.370

Modified: 2026-05-16T03:38:23.790

Link: CVE-2025-12669

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:15:15Z

Weaknesses