What is the CVSS score of CVE-2025-7739?

CVE-2025-7739 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Gitlab are affected by CVE-2025-7739?

Organizations using GitLab CE/EE affecting all face significant risk from CVE-2025-7739, a cross-site scripting vulnerability rated CVSS 8.7.

How to fix or mitigate CVE-2025-7739?

Within 7 days: Identify all affected systems running GitLab CE/EE affecting all and apply vendor patches promptly. Verify anti-CSRF tokens and content security policies are enforced.

Gitlab CVE-2025-7739

HIGH

Cross-site Scripting (XSS) (CWE-79)

2025-08-13 cve@gitlab.com

XSS Gitlab

8.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:06 vuln.today

CVE Published

Aug 13, 2025 - 18:15 nvd

HIGH 8.7

DescriptionNVD

An issue has been discovered in GitLab CE/EE affecting all versions from 18.2 before 18.2.2 that, under certain conditions, could have allowed authenticated users to achieve stored cross-site scripting by injecting malicious HTML content in scoped label descriptions.

AnalysisAI

An issue has been discovered in GitLab CE/EE affecting all versions from 18.2 before 18.2.2 that, under certain conditions, could have allowed authenticated users to achieve stored cross-site. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. An issue has been discovered in GitLab CE/EE affecting all versions from 18.2 before 18.2.2 that, under certain conditions, could have allowed authenticated users to achieve stored cross-site scripting by injecting malicious HTML content in scoped label descriptions. Affected products include: Gitlab. Version information: before 18.2.2.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More from same product – last 7 days

CVE-2026-3515 HIGH This Week

8.5 May 24

Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands th

CVE-2026-9807 MEDIUM This Month POC

4.3 May 28

Incorrect authorization enforcement in GitLab CE/EE permits a blocked Project Access Token to continue reading private p

CVE-2026-4868 HIGH This Week

8.2 May 27

Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo

CVE-2026-1402 MEDIUM This Month

6.5 May 27

Denial of service in GitLab CE/EE affects all versions from 17.1 through those prior to 18.10.7, 18.11.4, and 19.0.1, al

CVE-2026-6713 MEDIUM This Month

5.3 May 27

Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated networ

CVE-2025-7739 vulnerability details – vuln.today

Back