Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.
Published: 2026-06-25
Score: 8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab has a vulnerability that allows an unauthenticated user to inject and execute arbitrary JavaScript within a victim’s browser session. The flaw stems from improper path validation during web page generation, leading to uncontrolled content rendering. At its core, this is a classic CWE‑79 input validation flaw that can enable attackers to hijack sessions, steal credentials, or perform other malicious actions within the victim’s browser context. The impact is non‑destructive to the GitLab server itself but can compromise the confidentiality and integrity of users who view the affected pages.

Affected Systems

The issue affects GitLab Community and Enterprise Editions from version 18.10 up to but not including 18.11.6, from 19.0 up to but not including 19.0.3, and from 19.1 up to but not including 19.1.1. All earlier or fixed releases are not impacted.

Risk and Exploitability

With a CVSS score of 8 the vulnerability is considered high severity. Its exploitation does not require authentication, so any user who can visit a crafted URL may trigger it. EPSS information is not available, but the lack of a KEV listing suggests no publicly known exploits yet. Nevertheless, the potential for widespread attacks in exposed installations warrants prompt action.

Generated by OpenCVE AI on June 25, 2026 at 06:51 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.6, 19.0.3, 19.1.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.11.6, 19.0.3, 19.1.1 or newer to receive the fix for the whitespace path validation issue.
  • Configure a web application firewall or rewrite rules to block or sanitize requests containing malicious path segments that could trigger the XSS flaw, mitigating exploitation while the upgrade is pending.
  • Limit exposure of the GitLab instance by placing it behind an internal firewall or proxy and ensuring that only authenticated or trusted users can access it, thereby reducing the chance of unauthenticated users reaching the vulnerable URLs.

Generated by OpenCVE AI on June 25, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-25T04:33:54.043Z

Reserved: 2026-06-02T19:03:41.470Z

Link: CVE-2026-10712

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T08:15:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')