Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in another user's browser session due to improper sanitization.
Published: 2026-05-14
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab disclosed an improper neutralization of input during web page generation that permits an authenticated user to embed malicious JavaScript. When another user views the affected content, the payload runs in their browser, potentially enabling the thief to steal session data, hijack the session, or perform unauthorized actions on the victim's behalf. The flaw is a classic XSS (CWE‑79) and could compromise the confidentiality, integrity, or availability of user data in the event a privileged user is targeted.

Affected Systems

GitLab Community Edition and Enterprise Edition, versions starting from 18.11.0 up to but excluding 18.11.3 are affected. All releases prior to 18.11.3 contain the flaw and should be updated.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, but because the vulnerability enables arbitrary code execution in a victim’s browser, the practical impact is high if the attacker can authenticate and inject a payload. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no known field‑of‑view exploitation at present. The likely attack path requires a legitimate, authenticated account to inject malicious content that is later rendered for another user, making the exploit contingent on user interaction and vulnerable input fields.

Generated by OpenCVE AI on May 14, 2026 at 07:26 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.11.3 or later
  • Revoke or rotate any credentials or tokens potentially exposed during the vulnerability window
  • Monitor system logs for signs of XSS exploitation or anomalous user activity

Generated by OpenCVE AI on May 14, 2026 at 07:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Fri, 15 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in another user's browser session due to improper sanitization.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-15T09:58:59.492Z

Reserved: 2026-04-15T09:04:47.248Z

Link: CVE-2026-6335

cve-icon Vulnrichment

Updated: 2026-05-14T13:19:40.426Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:24.780

Modified: 2026-05-15T19:54:51.297

Link: CVE-2026-6335

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:45:16Z

Weaknesses