Description
GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to execute arbitrary JavaScript in other users' browsers due to improper input sanitization.
Published: 2026-05-14
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab Enterprise Edition contains a cross‑site scripting vulnerability that allows an authenticated user with developer‑role permissions to inject and execute arbitrary JavaScript in other users’ browsers. The flaw stems from improper neutralization of user input when generating web pages. A successful exploitation would compromise the confidentiality and integrity of a victim’s session, potentially permitting credential theft, session hijacking, or malicious navigation. This weakness is identified as CWE‑79 and is rated high severity (CVSS 8.7).

Affected Systems

The issue affects all GitLab Enterprise Edition releases from 16.4 up to 18.9.6, 18.10.5, and 18.11.2. Users running any of these versions are at risk and should consider upgrading immediately.

Risk and Exploitability

The vulnerability is exploitable only by authenticated developers; thus the attack requires valid credentials but can be abused to compromise other users through the web interface. No public exploit is currently documented, and the EPSS score is not available, though the high CVSS indicates significant potential damage. The CVE is not listed in CISA KEV, but the lack of a public exploit does not mitigate the risk of an attacker creating a custom payload. The likely attack vector is a web‑based code injection through a form or URL parameter that is rendered without proper escaping.

Generated by OpenCVE AI on May 14, 2026 at 07:53 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab 18.9.7, 18.10.6, 18.11.3 or any later release.
  • Configure strict input sanitization for user‑generated content to reduce XSS risk.
  • Enforce role‑based access control and two‑factor authentication for users with developer permissions.

Generated by OpenCVE AI on May 14, 2026 at 07:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to execute arbitrary JavaScript in other users' browsers due to improper input sanitization.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-15T03:55:51.754Z

Reserved: 2026-04-30T05:04:05.785Z

Link: CVE-2026-7481

cve-icon Vulnrichment

Updated: 2026-05-14T13:16:21.750Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:25.660

Modified: 2026-05-14T18:50:42.700

Link: CVE-2026-7481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:15:15Z

Weaknesses