Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to execute arbitrary JavaScript in a user's browser due to improper sanitization of entity-encoded content in Mermaid diagrams.
Published: 2026-03-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site Scripting
Action: Apply Patch
AI Analysis

Impact

GitLab contains a flaw where entity‑encoded content inside Mermaid diagrams is not properly sanitized. An authenticated user who can add or edit a diagram can inject arbitrary JavaScript. If another user views the diagram, the script runs in the victim’s browser, allowing the attacker to execute code on the victim’s behalf.

Affected Systems

The vulnerability affects GitLab Community Edition and Enterprise Edition for all releases from version 17.7 up to—but not including—18.8.7, all 18.9 releases prior to 18.9.3, and the 18.10 release prior to 18.10.1. Upgrading to 18.8.7, 18.9.3, 18.10.1 or later removes the flaw.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, and the EPSS score of less than 1% reflects a low likelihood of exploitation in the wild. The vulnerability does not appear in the CISA KEV catalog. Exploitation requires the attacker to have authenticated access to the GitLab instance and the ability to create or modify a Mermaid diagram that is subsequently viewed by other users.

Generated by OpenCVE AI on March 26, 2026 at 18:56 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.8.7, 18.9.3, 18.10.1, or a later release where the issue is resolved.

Generated by OpenCVE AI on March 26, 2026 at 18:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:enterprise:*:*:*

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to execute arbitrary JavaScript in a user's browser due to improper sanitization of entity-encoded content in Mermaid diagrams.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-26T17:24:32.440Z

Reserved: 2026-02-22T11:04:12.829Z

Link: CVE-2026-2973

cve-icon Vulnrichment

Updated: 2026-03-26T17:24:27.696Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:16:58.183

Modified: 2026-03-26T17:43:28.610

Link: CVE-2026-2973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:26Z

Weaknesses