CVE-2026-6073

GitLab · GitLab EE

GitLab EE is affected by a Cross-site Scripting (XSS) vulnerability that allows for improper neutralization of input during web page generation.

Executive summary

A stored cross-site scripting (XSS) vulnerability in GitLab EE may allow authenticated, low-privileged users to execute arbitrary scripts in the context of a victim's session.

Vulnerability

This is a Cross-site Scripting (CWE-79) vulnerability where insufficient input validation allows an authenticated user to inject malicious scripts, potentially compromising other user sessions.

Business impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, leading to session hijacking, unauthorized data access, or the performance of actions on behalf of the victim. With a CVSS score of 8.7, this represents a high risk to the confidentiality and integrity of the GitLab environment, particularly for organizations relying on GitLab for CI/CD and source code management.

Remediation

Immediate Action: Upgrade GitLab EE instances to versions 18.9.7, 18.10.6, 18.11.3 or higher immediately.

Proactive Monitoring: Monitor audit logs for unusual web requests or suspicious activity originating from accounts with low-level privileges.

Compensating Controls: Ensure Content Security Policy (CSP) headers are strictly configured to mitigate the impact of potential script injection attacks.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the CVSS score of 8.7, this vulnerability should be treated as a high-priority update. Administrators must verify their current GitLab version and apply the identified patches immediately to prevent unauthorized access and potential account takeovers.