Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML injection in test case titles.
Published: 2026-02-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Account compromise via XSS
Action: Immediate patch
AI Analysis

Impact

GitLab contains a cross‑site scripting flaw that lets an authenticated user inject malicious HTML into test case titles. The injected script can manipulate the victim’s account to add unauthorized email addresses, enabling an attacker to alter account settings or redirect communication. This vulnerability is classified as CWE‑79 and can lead to unauthorized account modification.

Affected Systems

The defect affects GitLab Community Edition and Enterprise Edition in all releases from 13.9 through the last pre‑patch versions (13.9 ≤ v < 18.6.6, 18.7 < v < 18.7.4, 18.8 < v < 18.8.4). Users running these versions are susceptible.

Risk and Exploitability

The base CVSS score is 7.3, indicating a high severity, yet the EPSS score is less than 1 %, showing a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated and have permission to create or edit test case titles; the attack is therefore limited to users with at least project maintainer or higher privileges. Once the script is executed in the victim’s browser, the attacker can add additional email addresses to the account.

Generated by OpenCVE AI on April 17, 2026 at 20:22 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.6.6, 18.7.4, 18.8.4 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.6.6, 18.7.4, 18.8.4 or later.
  • Restrict user permissions so that only trusted users can create or edit test case titles until the patch is applied.
  • Review audit logs for suspicious test case edits and detect unauthorized email address additions.

Generated by OpenCVE AI on April 17, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 12 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML injection in test case titles.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-26T14:44:28.036Z

Reserved: 2026-01-05T02:03:58.124Z

Link: CVE-2026-0595

cve-icon Vulnrichment

Updated: 2026-02-11T15:18:58.252Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T12:16:03.830

Modified: 2026-02-12T21:16:37.217

Link: CVE-2026-0595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses