An authenticated user can inject arbitrary JavaScript into any web page rendered by GitLab when the markdown_placeholders feature flag is enabled. The vulnerability is a result of improper sanitization of placeholder content inside Markdown processing, leading to a classic Reflected Cross‑Site Scripting (XSS) flaw. An attacker who gains access to a GitLab account could use this injection to execute arbitrary scripts in the victim's browser, potentially compromising personal credentials, session tokens, or other sensitive data visible to the user.

The flaw affects GitLab Community Edition (CE) and Enterprise Edition (EE) from early releases starting at 10.6 up to, but not including, 18.7.6, all 18.8 releases before 18.8.6, and all 18.9 releases before 18.9.2. The affected product is identified by the CPE entries provided for GitLab.

The CVSS score of 8.7 indicates a high severity level (High). The EPSS score is less than 1%, suggesting that the probability of exploitation is low. The vulnerability is not listed in the CISA KEV catalog, meaning it has not been tied to known, widespread exploitation campaigns. Exploitation requires the attacker to be an authenticated user with an enabled markdown_placeholders flag. Because the attack vector is a typical web interface action performed through a browser, the threat surface is limited to users with valid credentials and the feature flag set.