What is the CVSS score of CVE-2026-5262?

CVE-2026-5262 has a CVSS 3.1 base score of 8.0 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of GitLab CE/EE are affected by CVE-2026-5262?

GitLab CE/EE versions 16.1.0-18.11.0 contain a cross-site scripting vulnerability in the Storybook environment that enables unauthenticated attackers to steal access tokens through social…. A patch is available.

Is there a public PoC exploit available for CVE-2026-5262?

Yes, a public proof-of-concept exploit is available for CVE-2026-5262. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-5262?

Within 24 hours: Inventory all GitLab instances and confirm versions (affected ranges: 16.1.0-18.9.5, 18.10.0-18.10.3, 18.11.0). Within 7 days: Apply vendor-released patch to upgrade to GitLab 18.9.6, 18.10.4, 18.11.1 or later. Within 30 days: Audit GitLab access logs and token usage for the past 90 days; rotate all personal access tokens and deploy tokens as precautionary measure; review Storybook access controls and disable public access if not business-critical.

GitLab CE/EE CVE-2026-5262

EUVD-2026-25042 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-04-22 GitLab

GHSA-g9pv-f88j-p6rr

XSS Gitlab

8.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 23, 2026 - 20:54 vuln.today

cvss_changed

PoC Detected

Apr 23, 2026 - 20:38 vuln.today

Public exploit code

Patch released

Apr 23, 2026 - 20:38 nvd

Patch available

Analysis Generated

Apr 23, 2026 - 00:16 vuln.today

Patch available

Apr 22, 2026 - 17:33 EUVD

EUVD ID Assigned

Apr 22, 2026 - 16:31 euvd

EUVD-2026-25042

Analysis Generated

Apr 22, 2026 - 16:31 vuln.today

CVE Published

Apr 22, 2026 - 16:04 nvd

HIGH 8.0

DescriptionNVD

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input validation.

AnalysisAI

Cross-site scripting vulnerability in GitLab's Storybook development environment allows remote unauthenticated attackers to steal access tokens via crafted user interaction. Affects GitLab CE/EE versions 16.1.0 through 18.9.5, 18.10 through 18.10.3, and 18.11.0. …

RemediationAI

Within 24 hours: Inventory all GitLab instances and confirm versions (affected ranges: 16.1.0-18.9.5, 18.10.0-18.10.3, 18.11.0). Within 7 days: Apply vendor-released patch to upgrade to GitLab 18.9.6, 18.10.4, 18.11.1 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-3515 HIGH This Week

8.5 May 24

Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands th

CVE-2026-9807 MEDIUM This Month POC

4.3 May 28

Incorrect authorization enforcement in GitLab CE/EE permits a blocked Project Access Token to continue reading private p

CVE-2026-4868 HIGH This Week

8.2 May 27

Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo

CVE-2026-1402 MEDIUM This Month

6.5 May 27

Denial of service in GitLab CE/EE affects all versions from 17.1 through those prior to 18.10.7, 18.11.4, and 19.0.1, al

CVE-2026-6713 MEDIUM This Month

5.3 May 27

Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated networ

CVE-2026-5262 vulnerability details – vuln.today

Back

GitLab CE/EE CVE-2026-5262

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code