What is the CVSS score of CVE-2025-13761?

CVE-2025-13761 has a CVSS 3.1 base score of 8.0 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Gitlab are affected by CVE-2025-13761?

Organizations using GitLab CE/EE affecting all face notable risk from CVE-2025-13761, a cross-site scripting vulnerability rated CVSS 8.0.

How to fix or mitigate CVE-2025-13761?

Within 7 days: Identify all affected systems running GitLab CE/EE affecting all and apply vendor patches promptly. Verify anti-CSRF tokens and content security policies are enforced.

Gitlab CVE-2025-13761

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-01-09 cve@gitlab.com

Gitlab Red Hat

8.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 09, 2026 - 10:15 nvd

HIGH 8.0

DescriptionNVD

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.

AnalysisAI

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Gitlab. GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.

RemediationAI

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.