Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization.
Published: 2026-04-08
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: Cross‑site Scripting
Action: Patch Now
AI Analysis

Impact

GitLab Enterprise Edition contains a flaw in its customizable analytics dashboards that allows an authenticated user to submit input that is not properly sanitized before being rendered into a web page. The unsanitized data is inserted as JavaScript, enabling the attacker to execute arbitrary scripts in the browsers of other authenticated users who view the affected dashboard. Such scripts could steal session cookies, perform actions on behalf of the victim, or conduct other client‑side attacks.

Affected Systems

The vulnerability affects GitLab EE installations running versions starting at 18.2 and up through 18.10.2, excluding any releases that have been upgraded to 18.8.9, 18.9.5, 18.10.3 or later. Users of any of those previous releases that have not applied the stated patches are exposed.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity. Exploitation requires the attacker to be an authenticated user with permission to edit or create dashboards. Because the impact is limited to the victim’s browser, it does not allow server compromise, but it can lead to credential theft or session hijacking. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. Nevertheless, the ability to compromise client‑side sessions warrants timely remediation.

Generated by OpenCVE AI on April 8, 2026 at 23:51 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab Enterprise Edition to at least version 18.8.9, 18.9.5, or 18.10.3.

Generated by OpenCVE AI on April 8, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-08T22:25:27.848Z

Reserved: 2026-03-17T14:04:05.574Z

Link: CVE-2026-4332

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T23:16:59.683

Modified: 2026-04-08T23:16:59.683

Link: CVE-2026-4332

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:40Z

Weaknesses