Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.7 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to execute arbitrary scripts in another user's browser session due to improper sanitization of user-supplied input.
Published: 2026-07-08
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab Community and Enterprise Editions were affected by an improper input sanitization flaw that allows an authenticated user to inject arbitrary JavaScript into a web page rendered by other users, enabling cross‑site scripting. The flaw is defined as CWE‑79 and can result in data theft, credential compromise, or session hijacking in the victim’s browser.

Affected Systems

The vulnerability applies to all GitLab CE/EE releases from 15.7 up to, but not including, 18.11.7; from 19.0 up to, but not including, 19.0.4; and from 19.1 up to, but not including, 19.1.2. Users running any of those unpatched versions are therefore at risk.

Risk and Exploitability

The CVSS score of 7.3 indicates a moderate to high severity, but no EPSS score is available, and the issue is not listed in the CISA KEV catalog. Because the flaw requires an authenticated user, the attack vector is limited to privileged accounts in the GitLab instance, although successful exploitation can affect other users who view the compromised content. Official remediation is to upgrade to at least version 18.11.7, 19.0.4, or 19.1.2.

Generated by OpenCVE AI on July 9, 2026 at 04:05 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.7, 19.0.4, 19.1.2 or above.


OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to GitLab 18.11.7, 19.0.4, 19.1.2 or any later release.
  • If an upgrade cannot be performed immediately, restrict or disable content fields that accept user input (such as issue comments, merge request discussions, or wiki pages) until the patch is applied.
  • Monitor web‑application logs and user activity for indications of unexpected client‑side script execution or session hijacking prior to patching.

Generated by OpenCVE AI on July 9, 2026 at 04:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.7 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to execute arbitrary scripts in another user's browser session due to improper sanitization of user-supplied input.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-07-08T20:46:13.854Z

Reserved: 2026-06-25T08:13:57.255Z

Link: CVE-2026-13320

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:15:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')