Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI.
Published: 2026-02-25
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an unauthenticated user to inject arbitrary JavaScript into the Mermaid sandbox UI of GitLab Community and Enterprise editions. When a victim later opens the affected UI, the injected script executes in the victim’s browser context, enabling the attacker to hijack the session, steal authentication cookies, deface the page, or run code on the client machine. The weakness is classified as CWE‑79, reflecting improper input neutralization during web page generation.

Affected Systems

All GitLab Community Edition and Enterprise Edition releases from 16.2 through 18.9.0 that have not yet applied the corresponding patch are affected. Specifically, versions prior to 18.7.5, prior to 18.8.5, and prior to 18.9.1 are vulnerable. Any instance hosted at the time of the advisory that falls within this range requires remediation.

Risk and Exploitability

The CVSS score of 8.0 indicates high severity. The EPSS score of less than 1% suggests that, as of the last report, real‑world exploitation is infrequent, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Nonetheless, because the flaw can be triggered from any network location without authentication and only requires the victim to view the vulnerable UI, the risk to end users is significant enough to warrant prompt action.

Generated by OpenCVE AI on April 18, 2026 at 10:36 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.5, 18.8.5, 18.9.1 or above.

OpenCVE Recommended Actions

  • Upgrade the GitLab installation to at least 18.7.5 (for 18.7.x), 18.8.5 (for 18.8.x), or 18.9.1 (for 18.9.x) and all subsequent releases; these versions contain the fix for the XSS flaw.
  • If an upgrade cannot be performed immediately, block or restrict access to the Mermaid sandbox UI via network controls or application routing rules so that no user can load the vulnerable interface until the patch is applied.
  • Alternatively, disable Mermaid diagram rendering in the GitLab configuration or use feature flags to prevent the vulnerable UI from rendering until the fix is deployed.

Generated by OpenCVE AI on April 18, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 00:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.9.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.9.0:*:*:*:enterprise:*:*:*

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-26T14:44:05.136Z

Reserved: 2026-01-08T20:04:05.088Z

Link: CVE-2026-0752

cve-icon Vulnrichment

Updated: 2026-02-26T14:08:31.639Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:36.330

Modified: 2026-02-28T00:44:58.627

Link: CVE-2026-0752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses