Description
GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content.
Published: 2026-03-25
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

The issue in GitLab Enterprise Edition allows an authenticated user to add email addresses to targeted accounts because HTML content is not properly sanitized. This flaw can be leveraged to inject malicious scripts that execute in the victim’s browser, potentially enabling cookie theft, session hijacking, or defacement. The vulnerability is a classic example of improper neutralization of script‑related HTML tags and qualifies as a basic XSS attack.

Affected Systems

GitLab Enterprise edition users are impacted. The vulnerability exists in all GitLab EE releases from version 15.4 up through 18.7, including 18.8.6, 18.9.2, and 18.10.0. Any instance running these versions of GitLab before the fixed releases of 18.8.7, 18.9.3, or 18.10.1 is susceptible.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, while the EPSS probability is below 1 percent, implying the likelihood of observed exploitation is low. It is not listed in the CISA KEV catalog. Attack requires authenticated access and use of the email‑addition functionality, which is commonly available to registered users, so the attack vector is likely authenticated XSS. Given the high impact and the availability of an official patch, the risk to affected deployments is significant if the vulnerability remains unpatched.

Generated by OpenCVE AI on March 26, 2026 at 18:27 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.8.7, 18.9.3, 18.10.1, or a later release to apply the vendor patch.

Generated by OpenCVE AI on March 26, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:enterprise:*:*:*

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content.
Title Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-80
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-26T13:20:13.378Z

Reserved: 2026-02-22T23:34:07.544Z

Link: CVE-2026-2995

cve-icon Vulnrichment

Updated: 2026-03-26T13:20:10.519Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:16:58.347

Modified: 2026-03-26T17:42:57.473

Link: CVE-2026-2995

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:28Z

Weaknesses