The vulnerability exists in GitLab Enterprise Edition dashboards. An authenticated user can provide input that is not properly neutralized, which allows the execution of arbitrary JavaScript in other users’ browsers when they view the affected analytics dashboard. The primary impact is that malicious code can run in the victim’s browser context, constituting a classic Cross‑Site Scripting flaw (CWE‑79). Based on the description, it is inferred that the malicious script could affect the confidentiality, integrity, or availability of the affected users, but the specific consequences are not detailed in the CVE text.

GitLab Enterprise Edition versions 18.7 up to but not including 18.9.7, 18.10 up to but not including 18.10.6, and 18.11 up to but not including 18.11.3 are vulnerable. These releases provide customizable analytics dashboards that can be exploited.

The CVSS score of 8.7 indicates high severity. The EPSS score is unavailable, so the exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user who can create or edit a dashboard; once authenticated the attacker can inject JavaScript that will execute in any other authenticated user’s browser upon viewing the dashboard. The potential impact is limited to browser context and requires the victim to view the compromised page. Based on the description, it is inferred that a malicious insider or compromised legitimate account could abuse the flaw, but no public exploit is known.