CVE-2026-7377

GitLab · GitLab EE

GitLab EE is vulnerable to a Stored Cross-site Scripting (XSS) issue, allowing authenticated users to inject malicious scripts into web pages.

Executive summary

A Cross-site Scripting (XSS) vulnerability in GitLab EE could allow an authenticated attacker to execute arbitrary scripts in the context of other users' sessions.

Vulnerability

This is a Cross-site Scripting (CWE-79) vulnerability where improper neutralization of user-supplied input allows an authenticated attacker with low privileges to execute malicious scripts.

Business impact

A successful exploit could lead to session hijacking, unauthorized actions performed on behalf of other users, or the exfiltration of sensitive data. With a CVSS score of 8.7 (High), this vulnerability presents a significant risk to the integrity and confidentiality of the GitLab environment, particularly for administrators or high-privilege users targeted by the script.

Remediation

Immediate Action: Upgrade GitLab EE instances to versions 18.9.7, 18.10.6, 18.11.3, or higher immediately.

Proactive Monitoring: Monitor web access logs for unusual patterns or payloads containing script tags associated with user-controlled input fields.

Compensating Controls: Implement or tune a Web Application Firewall (WAF) to detect and block common XSS attack patterns targeting the GitLab interface.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the potential for session compromise within high-value development environments, patching is critical. Organizations should prioritize updating their GitLab installations to the versions provided to ensure complete remediation of this XSS flaw.