Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
8DescriptionCVE.org
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.
AnalysisAI
Cross-site scripting (XSS) in GitLab CE/EE versions 18.10.0-18.10.3 and 18.11.0 enables unauthenticated attackers to execute arbitrary JavaScript in victim browser sessions via improper path validation. GitLab disclosed this vulnerability with publicly available exploit code (HackerOne report 3572231), though CISA SSVC indicates no active exploitation confirmed at time of analysis. CVSS 8.0 reflects the changed scope (S:C) allowing impact beyond the vulnerable component, though High attack complexity (AC:H) and required user interaction (UI:R) limit ease of exploitation. Patched in versions 18.10.4 and 18.11.1.
Technical ContextAI
This is a path traversal leading to cross-site scripting vulnerability (CWE-41: Improper Resolution of Path Equivalence). GitLab's web application failed to properly validate file paths in certain request handlers, allowing attackers to craft URLs that bypass origin restrictions and inject malicious JavaScript. The affected components are GitLab Community Edition and Enterprise Edition versions 18.10.x and 18.11.x. The CVSS Changed Scope (S:C) indicates the vulnerability impacts resources beyond the GitLab application itself - specifically, the confidentiality and integrity of user browser sessions and potentially other web applications under the same origin. This class of vulnerability typically arises from insufficient canonicalization of user-supplied path input before making security decisions, allowing sequences like '../', URL encoding, or Unicode variations to traverse outside intended directories.
RemediationAI
Upgrade immediately to GitLab 18.10.4 or 18.11.1 per vendor advisory at https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/. For the 18.10 branch, apply version 18.10.4; for 18.11 branch, apply 18.11.1. If immediate patching is not feasible, implement compensating controls: configure web application firewall rules to block requests containing path traversal patterns (../, %2e%2e%2f, Unicode variations) targeting GitLab endpoints, though this may cause false positives for legitimate file operations. Deploy Content Security Policy headers with restrictive script-src directives to limit XSS impact, noting this reduces but does not eliminate risk as attackers may leverage existing trusted scripts. Restrict GitLab access to authenticated VPN users only, eliminating the unauthenticated attack surface, though this significantly impacts usability for public repositories. Monitor access logs for unusual path patterns in URLs. All compensating controls are partial mitigations - vendor patching remains the definitive solution.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same weakness CWE-41 – Improper Resolution of Path Equivalence
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25046
GHSA-gj6x-vqpx-4p3c