GitLab
CVE-2025-13761
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Unauthenticated network XSS needing victim interaction (UI:R) with scope change into the authenticated session; high confidentiality/integrity via session abuse but availability impact is limited (A:L).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionNVD
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.
AnalysisAI
Cross-site scripting in GitLab CE/EE (18.6 before 18.6.3 and 18.7 before 18.7.1) lets an unauthenticated attacker run arbitrary JavaScript in the browser of a logged-in victim who is lured to a specially crafted webpage, enabling session theft and actions performed as that authenticated user. The flaw carries a critical CVSS 9.6 with a scope change, reflecting impact that crosses from the vulnerable component into the victim's authenticated session. No public exploit identified at time of analysis, and EPSS is very low (0.04%, 12th percentile), but the vendor-confirmed nature and HackerOne report indicate a credible, validated issue.
Technical ContextAI
GitLab is a self-managed and SaaS DevOps platform (Git repository management, CI/CD, issue tracking) deployed as the Community Edition (CPE cpe:2.3:a:gitlab:gitlab:*:community) and Enterprise Edition (cpe:2.3:a:gitlab:gitlab:*:enterprise). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e. cross-site scripting): user-controllable input is rendered into the GitLab web UI without adequate sanitization or output encoding, allowing attacker-supplied markup/script to execute in the trusted GitLab origin. Because the payload runs inside the victim's authenticated GitLab browser session, the attacker inherits that user's privileges within the application, which is why the CVSS scope is marked Changed (S:C).
RemediationAI
Vendor-released patch: upgrade GitLab CE/EE to 18.6.3 (for the 18.6 branch) or 18.7.1 (for the 18.7 branch) or later, per the GitLab patch release advisory (https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/) and issue 582237. As GitLab strongly recommends running the latest patched release of your minor version, prioritize this upgrade for internet-facing instances. If immediate patching is not possible, compensating controls include restricting GitLab web access to trusted networks/VPN to limit who can be lured into the authenticated context, enforcing a strict Content-Security-Policy to reduce inline-script execution (trade-off: may break custom integrations or embedded content), and educating users not to follow untrusted links while logged into GitLab (trade-off: relies on human behavior and is not a reliable control). These are stopgaps only; the upgrade is the definitive fix.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today