Description
GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code in the context of another user's session, due to improper sanitization of user-supplied input.
Published: 2026-06-25
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab Enterprise Edition contains a cross‑site scripting (XSS) flaw that, when triggered by an authenticated user with developer permissions, can cause arbitrary client‑side code to run as another user. The vulnerability arises from improper sanitization of user‑supplied input, allowing injection of malicious scripts. This can be used to hijack sessions, deface pages, or exfiltrate data, representing a significant threat to confidentiality, integrity, and availability of the affected GitLab instance.

Affected Systems

All GitLab EE versions from 16.4 up to, but not including, 18.11.6; from 19.0 up to, but not including, 19.0.3; and from 19.1 up to, but not including, 19.1.1 are affected. Users running these releases should confirm their exact version and apply the advisory recommendation.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, though EPSS data is currently unavailable, suggesting uncertainty about real‑world exploitation frequency. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed public exploits, but the impact and high score warrant careful monitoring. Attackers would need to be authenticated as a team member with developer role, then embed malicious input into a web form or data field susceptible to XSS; achieving execution within the victim's session. The conditions make exploitation plausible on actively used projects.

Generated by OpenCVE AI on June 25, 2026 at 06:20 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.6, 19.0.3, 19.1.1 or above.

OpenCVE Recommended Actions

  • Upgrade your GitLab instance to version 18.11.6, 19.0.3, 19.1.1 or later as recommended by the vendor.
  • If an upgrade cannot be performed immediately, restrict developer‑role permissions on projects that can receive user input, preventing the injection of malicious content.
  • Deploy a Web Application Firewall or enforce a strict Content Security Policy to block execution of injected scripts by client browsers.

Generated by OpenCVE AI on June 25, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code in the context of another user's session, due to improper sanitization of user-supplied input.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-25T05:03:58.451Z

Reserved: 2026-05-29T12:04:39.988Z

Link: CVE-2026-10086

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T08:15:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')