CVE-2026-7377
GitLab · GitLab EE
GitLab EE is vulnerable to a Stored Cross-site Scripting (XSS) issue, allowing authenticated users to inject malicious scripts into web pages.
Executive summary
A Cross-site Scripting (XSS) vulnerability in GitLab EE could allow an authenticated attacker to execute arbitrary scripts in the context of other users' sessions.
Vulnerability
This is a Cross-site Scripting (CWE-79) vulnerability where improper neutralization of user-supplied input allows an authenticated attacker with low privileges to execute malicious scripts.
Business impact
A successful exploit could lead to session hijacking, unauthorized actions performed on behalf of other users, or the exfiltration of sensitive data. With a CVSS score of 8.7 (High), this vulnerability presents a significant risk to the integrity and confidentiality of the GitLab environment, particularly for administrators or high-privilege users targeted by the script.
Remediation
Immediate Action: Upgrade GitLab EE instances to versions 18.9.7, 18.10.6, 18.11.3, or higher immediately.
Proactive Monitoring: Monitor web access logs for unusual patterns or payloads containing script tags associated with user-controlled input fields.
Compensating Controls: Implement or tune a Web Application Firewall (WAF) to detect and block common XSS attack patterns targeting the GitLab interface.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the potential for session compromise within high-value development environments, patching is critical. Organizations should prioritize updating their GitLab installations to the versions provided to ensure complete remediation of this XSS flaw.