Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles.
Published: 2026-02-11
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via Project Label Titles
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an authenticated user to inject arbitrary HTML or script content into project label titles, enabling basic cross‑site scripting attacks. The flaw is a classic example of improper neutralization of script‑related HTML tags (CWE‑80).

Affected Systems

Affected products include GitLab Community Edition and Enterprise Edition. All releases prior to 18.6.6, 18.7.4, and 18.8.4 are vulnerable.

Risk and Exploitability

The CVSS score of 3.5 indicates a moderate severity, and the EPSS value below 1% suggests exploitation is unlikely at present. The flaw requires the attacker to have authentication, and it is not catalogued in the CISA KEV database. The impact is confined to users who can modify label titles in their projects. Based on the description, the attack vector appears to be client‑side, requiring authentication.

Generated by OpenCVE AI on April 18, 2026 at 12:41 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.6.6, 18.7.4, 18.8.4 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.6.6, 18.7.4, 18.8.4 or later to remove the vulnerability.
  • Ensure that all GitLab components that allow project label creation are running the patched version.
  • Limit label editing rights to trusted personnel and monitor for anomalous changes to detect potential exploitation.

Generated by OpenCVE AI on April 18, 2026 at 12:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles.
Title Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-80
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-11T21:18:14.189Z

Reserved: 2026-01-21T06:33:13.239Z

Link: CVE-2026-1282

cve-icon Vulnrichment

Updated: 2026-02-11T21:17:43.085Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T12:16:04.403

Modified: 2026-02-12T21:22:02.510

Link: CVE-2026-1282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses