Skip to main content

GitLab CVE-2025-13761

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-01-09 cve@gitlab.com
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.6 CRITICAL

Unauthenticated network XSS needing victim interaction (UI:R) with scope change into the authenticated session; high confidentiality/integrity via session abuse but availability impact is limited (A:L).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:L/SC:L/SI:L/SA:N
Red Hat
8.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jun 30, 2026 - 04:09 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:09 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:08 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:07 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:23 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:23 NVD
HIGH CRITICAL
CVSS changed
Jun 30, 2026 - 03:23 NVD
8.0 (HIGH) 9.6 (CRITICAL)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 09, 2026 - 10:15 nvd
HIGH 8.0

DescriptionNVD

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage.

AnalysisAI

Cross-site scripting in GitLab CE/EE (18.6 before 18.6.3 and 18.7 before 18.7.1) lets an unauthenticated attacker run arbitrary JavaScript in the browser of a logged-in victim who is lured to a specially crafted webpage, enabling session theft and actions performed as that authenticated user. The flaw carries a critical CVSS 9.6 with a scope change, reflecting impact that crosses from the vulnerable component into the victim's authenticated session. No public exploit identified at time of analysis, and EPSS is very low (0.04%, 12th percentile), but the vendor-confirmed nature and HackerOne report indicate a credible, validated issue.

Technical ContextAI

GitLab is a self-managed and SaaS DevOps platform (Git repository management, CI/CD, issue tracking) deployed as the Community Edition (CPE cpe:2.3:a:gitlab:gitlab:*:community) and Enterprise Edition (cpe:2.3:a:gitlab:gitlab:*:enterprise). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e. cross-site scripting): user-controllable input is rendered into the GitLab web UI without adequate sanitization or output encoding, allowing attacker-supplied markup/script to execute in the trusted GitLab origin. Because the payload runs inside the victim's authenticated GitLab browser session, the attacker inherits that user's privileges within the application, which is why the CVSS scope is marked Changed (S:C).

RemediationAI

Vendor-released patch: upgrade GitLab CE/EE to 18.6.3 (for the 18.6 branch) or 18.7.1 (for the 18.7 branch) or later, per the GitLab patch release advisory (https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/) and issue 582237. As GitLab strongly recommends running the latest patched release of your minor version, prioritize this upgrade for internet-facing instances. If immediate patching is not possible, compensating controls include restricting GitLab web access to trusted networks/VPN to limit who can be lured into the authenticated context, enforcing a strict Content-Security-Policy to reduce inline-script execution (trade-off: may break custom integrations or embedded content), and educating users not to follow untrusted links while logged into GitLab (trade-off: relies on human behavior and is not a reliable control). These are stopgaps only; the upgrade is the definitive fix.

More in Gitlab

View all
CVE-2023-7028 CRITICAL POC
10.0 Jan 12

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.

CVE-2013-4490 MEDIUM POC
6.5 May 13

The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x

CVE-2021-22205 CRITICAL POC
10.0 Apr 23

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10

CVE-2022-2992 CRITICAL POC
9.9 Oct 17

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-1162 CRITICAL POC
9.8 Apr 04

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)

CVE-2022-0735 CRITICAL POC
9.8 Mar 28

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star

CVE-2021-22175 CRITICAL POC
9.8 Jun 11

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af

CVE-2021-22203 CRITICAL POC
9.8 Apr 02

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta

CVE-2019-15741 CRITICAL POC
9.8 Sep 16

An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2019-6960 CRITICAL POC
9.8 Sep 09

An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6

Vendor StatusVendor

Share

CVE-2025-13761 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy