What is the CVSS score of CVE-2026-3254?

CVE-2026-3254 has a CVSS 3.1 base score of 3.5 (Low). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a public PoC exploit available for CVE-2026-3254?

Yes, a public proof-of-concept exploit is available for CVE-2026-3254. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-3254?

Yes, a patch is available for CVE-2026-3254. Update the affected software to the latest version immediately.

GitLab CE/EE CVE-2026-3254

EUVD-2026-24961 LOW

Improper Restriction of Rendered UI Layers or Frames (CWE-1021)

2026-04-22 GitLab

GHSA-rv75-mvrq-37g2

XSS Gitlab

3.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

PoC Detected

Apr 23, 2026 - 20:43 vuln.today

Public exploit code

Patch released

Apr 23, 2026 - 20:43 nvd

Patch available

Analysis Generated

Apr 23, 2026 - 07:00 vuln.today

Patch available

Apr 22, 2026 - 17:33 EUVD

EUVD ID Assigned

Apr 22, 2026 - 17:01 euvd

EUVD-2026-24961

Analysis Generated

Apr 22, 2026 - 17:01 vuln.today

CVE Published

Apr 22, 2026 - 16:29 nvd

LOW 3.5

DescriptionNVD

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox.

AnalysisAI

Cross-site scripting (XSS) in GitLab CE/EE 18.11 before 18.11.1 allows authenticated users to inject unauthorized content into other users' browsers through improper input validation in the Mermaid diagram sandbox. An attacker must have valid GitLab credentials and the victim must view a malicious diagram, limiting real-world impact despite the publicly available exploit code. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-3515 HIGH This Week

8.5 May 24

Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands th

CVE-2026-9807 MEDIUM This Month POC

4.3 May 28

Incorrect authorization enforcement in GitLab CE/EE permits a blocked Project Access Token to continue reading private p

CVE-2026-4868 HIGH This Week

8.2 May 27

Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo

CVE-2026-1402 MEDIUM This Month

6.5 May 27

Denial of service in GitLab CE/EE affects all versions from 17.1 through those prior to 18.10.7, 18.11.4, and 19.0.1, al

CVE-2026-6713 MEDIUM This Month

5.3 May 27

Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated networ

CVE-2026-3254 vulnerability details – vuln.today

Back