CVE-2026-6073
GitLab · GitLab EE
GitLab EE is affected by a Cross-site Scripting (XSS) vulnerability that allows for improper neutralization of input during web page generation.
Executive summary
A stored cross-site scripting (XSS) vulnerability in GitLab EE may allow authenticated, low-privileged users to execute arbitrary scripts in the context of a victim's session.
Vulnerability
This is a Cross-site Scripting (CWE-79) vulnerability where insufficient input validation allows an authenticated user to inject malicious scripts, potentially compromising other user sessions.
Business impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, leading to session hijacking, unauthorized data access, or the performance of actions on behalf of the victim. With a CVSS score of 8.7, this represents a high risk to the confidentiality and integrity of the GitLab environment, particularly for organizations relying on GitLab for CI/CD and source code management.
Remediation
Immediate Action: Upgrade GitLab EE instances to versions 18.9.7, 18.10.6, 18.11.3 or higher immediately.
Proactive Monitoring: Monitor audit logs for unusual web requests or suspicious activity originating from accounts with low-level privileges.
Compensating Controls: Ensure Content Security Policy (CSP) headers are strictly configured to mitigate the impact of potential script injection attacks.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the CVSS score of 8.7, this vulnerability should be treated as a high-priority update. Administrators must verify their current GitLab version and apply the identified patches immediately to prevent unauthorized access and potential account takeovers.