Skip to main content

GitLab CE/EE EUVDEUVD-2026-25046

| CVE-2026-5816 HIGH
Improper Resolution of Path Equivalence (CWE-41)
2026-04-22 GitLab GHSA-gj6x-vqpx-4p3c
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

8
Re-analysis Queued
Apr 23, 2026 - 20:42 vuln.today
cvss_changed
PoC Detected
Apr 23, 2026 - 20:30 vuln.today
Public exploit code
Patch released
Apr 23, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 23, 2026 - 00:16 vuln.today
Patch available
Apr 22, 2026 - 17:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 16:31 euvd
EUVD-2026-25046
Analysis Generated
Apr 22, 2026 - 16:31 vuln.today
CVE Published
Apr 22, 2026 - 16:04 nvd
HIGH 8.0

DescriptionCVE.org

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.

AnalysisAI

Cross-site scripting (XSS) in GitLab CE/EE versions 18.10.0-18.10.3 and 18.11.0 enables unauthenticated attackers to execute arbitrary JavaScript in victim browser sessions via improper path validation. GitLab disclosed this vulnerability with publicly available exploit code (HackerOne report 3572231), though CISA SSVC indicates no active exploitation confirmed at time of analysis. CVSS 8.0 reflects the changed scope (S:C) allowing impact beyond the vulnerable component, though High attack complexity (AC:H) and required user interaction (UI:R) limit ease of exploitation. Patched in versions 18.10.4 and 18.11.1.

Technical ContextAI

This is a path traversal leading to cross-site scripting vulnerability (CWE-41: Improper Resolution of Path Equivalence). GitLab's web application failed to properly validate file paths in certain request handlers, allowing attackers to craft URLs that bypass origin restrictions and inject malicious JavaScript. The affected components are GitLab Community Edition and Enterprise Edition versions 18.10.x and 18.11.x. The CVSS Changed Scope (S:C) indicates the vulnerability impacts resources beyond the GitLab application itself - specifically, the confidentiality and integrity of user browser sessions and potentially other web applications under the same origin. This class of vulnerability typically arises from insufficient canonicalization of user-supplied path input before making security decisions, allowing sequences like '../', URL encoding, or Unicode variations to traverse outside intended directories.

RemediationAI

Upgrade immediately to GitLab 18.10.4 or 18.11.1 per vendor advisory at https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/. For the 18.10 branch, apply version 18.10.4; for 18.11 branch, apply 18.11.1. If immediate patching is not feasible, implement compensating controls: configure web application firewall rules to block requests containing path traversal patterns (../, %2e%2e%2f, Unicode variations) targeting GitLab endpoints, though this may cause false positives for legitimate file operations. Deploy Content Security Policy headers with restrictive script-src directives to limit XSS impact, noting this reduces but does not eliminate risk as attackers may leverage existing trusted scripts. Restrict GitLab access to authenticated VPN users only, eliminating the unauthenticated attack surface, though this significantly impacts usability for public repositories. Monitor access logs for unusual path patterns in URLs. All compensating controls are partial mitigations - vendor patching remains the definitive solution.

More in Gitlab

View all
CVE-2023-7028 CRITICAL POC
10.0 Jan 12

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.

CVE-2013-4490 MEDIUM POC
6.5 May 13

The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x

CVE-2021-22205 CRITICAL POC
10.0 Apr 23

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10

CVE-2022-2992 CRITICAL POC
9.9 Oct 17

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-1162 CRITICAL POC
9.8 Apr 04

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)

CVE-2022-0735 CRITICAL POC
9.8 Mar 28

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star

CVE-2021-22175 CRITICAL POC
9.8 Jun 11

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af

CVE-2021-22203 CRITICAL POC
9.8 Apr 02

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta

CVE-2019-15741 CRITICAL POC
9.8 Sep 16

An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2019-6960 CRITICAL POC
9.8 Sep 09

An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6

Share

EUVD-2026-25046 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy