Skip to main content

GitLab CE/EE CVE-2026-3254

| EUVDEUVD-2026-24961 LOW
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-04-22 GitLab GHSA-rv75-mvrq-37g2
3.5
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

7
PoC Detected
Apr 23, 2026 - 20:43 vuln.today
Public exploit code
Patch released
Apr 23, 2026 - 20:43 nvd
Patch available
Analysis Generated
Apr 23, 2026 - 07:00 vuln.today
Patch available
Apr 22, 2026 - 17:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 17:01 euvd
EUVD-2026-24961
Analysis Generated
Apr 22, 2026 - 17:01 vuln.today
CVE Published
Apr 22, 2026 - 16:29 nvd
LOW 3.5

DescriptionCVE.org

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox.

AnalysisAI

Cross-site scripting (XSS) in GitLab CE/EE 18.11 before 18.11.1 allows authenticated users to inject unauthorized content into other users' browsers through improper input validation in the Mermaid diagram sandbox. An attacker must have valid GitLab credentials and the victim must view a malicious diagram, limiting real-world impact despite the publicly available exploit code. SSVC analysis rates this as non-automatable with partial technical impact, consistent with the low CVSS 3.5 score.

Technical ContextAI

GitLab integrates the Mermaid diagram rendering library, which generates flowcharts, sequence diagrams, and other visual content from user-provided input. The vulnerability stems from CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), indicating the Mermaid sandbox mechanism failed to properly isolate and validate input before rendering within the browser context. The affected CPE (cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*) indicates GitLab Community Edition and Enterprise Edition are vulnerable. The XSS occurs within the Mermaid diagram parser/renderer, where malicious syntax or escaped content bypasses the intended sandboxing controls and executes in the victim's browser session.

RemediationAI

Upgrade to GitLab CE/EE version 18.11.1 or later to apply the vendor-released patch. GitLab has remediated the improper input validation in the Mermaid sandbox as documented in the official work item (https://gitlab.com/gitlab-org/gitlab/-/work_items/591587). No workarounds are available for versions prior to 18.11.1 other than restricting diagram creation to trusted administrators or temporarily disabling Mermaid diagram rendering by administrative policy. Organizations unable to upgrade immediately should audit recent diagram activity for suspicious content and consider limiting access to diagram creation features.

More in Gitlab

View all
CVE-2023-7028 CRITICAL POC
10.0 Jan 12

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.

CVE-2013-4490 MEDIUM POC
6.5 May 13

The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x

CVE-2021-22205 CRITICAL POC
10.0 Apr 23

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10

CVE-2022-2992 CRITICAL POC
9.9 Oct 17

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-1162 CRITICAL POC
9.8 Apr 04

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)

CVE-2022-0735 CRITICAL POC
9.8 Mar 28

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star

CVE-2021-22175 CRITICAL POC
9.8 Jun 11

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af

CVE-2021-22203 CRITICAL POC
9.8 Apr 02

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta

CVE-2019-15741 CRITICAL POC
9.8 Sep 16

An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2019-6960 CRITICAL POC
9.8 Sep 09

An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6

Share

CVE-2026-3254 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy