Skip to main content

GitLab CE/EE EUVD-2026-36224

| CVE-2026-9694 MEDIUM
Improper Neutralization of Substitution Characters (CWE-153)
2026-06-11 GitLab GHSA-5cr4-qwvx-32j2
Gitlab Code Injection
4.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitLab) PRIMARY
LOW
qualitative
NVD
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
3.1 LOW

AV:N because attack is delivered via email; AC:H per 'certain conditions'; PR:N per description's explicit 'unauthenticated user' language, overriding the conflicting official PR:L; UI:R because victim must view the injected issue content; I:L for content injection only.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitLab).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jun 11, 2026 - 17:37 NVD
LOW MEDIUM
CVSS changed
Jun 11, 2026 - 17:37 NVD
2.6 (LOW) 4.3 (MEDIUM)
Patch available
Jun 11, 2026 - 13:01 EUVD
Analysis Generated
Jun 11, 2026 - 11:51 vuln.today

DescriptionNVD

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.

AnalysisAI

Content injection via Service Desk email template processing in GitLab CE/EE allows an unauthenticated attacker to impersonate the GitLab Support Bot and inject arbitrary content into issue threads. The vulnerability affects all GitLab instances running versions from 15.9 through 19.0.1 with the Service Desk feature active, and stems from improper neutralization of substitution characters (CWE-153) in email template rendering. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate target project's Service Desk email address
Delivery
Craft email reply with template substitution payload
Exploit
Send malicious email to Service Desk endpoint
Execution
GitLab processes email through vulnerable template engine
Persist
Injected content rendered as GitLab Support Bot message
Impact
Victim views issue and is exposed to attacker-controlled content
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The GitLab Service Desk feature must be enabled on the target project - this is a non-default, opt-in feature requiring project maintainer or administrator configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is constrained by multiple compounding factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains or enumerates the Service Desk email address for a GitLab project, then crafts a reply email whose body contains template substitution sequences targeting GitLab's internal email renderer. When GitLab processes the inbound email reply under the conditions required to trigger the vulnerability, the template engine evaluates the injected tokens and renders forged content attributed to the GitLab Support Bot identity within the issue thread. …
Remediation Upgrade to a patched release immediately: GitLab 18.10.8, 18.11.5, or 19.0.2, as documented in the vendor patch advisory at https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8589 HIGH POC
8.7 Jun 11

Stored cross-site scripting and account integrity abuse in GitLab Enterprise Edition versions 13.1.4 through 18.10.7, 18
CVE-2026-10087 HIGH POC
8.7 Jun 11

Stored cross-site scripting in GitLab Enterprise Edition's Analytics Dashboard allows an authenticated developer-role us
CVE-2026-6552 HIGH POC
8.7 Jun 11

Account takeover in GitLab Enterprise Edition versions 15.5 through 19.0.2 allows an authenticated group Owner to hijack
CVE-2026-7250 HIGH POC
7.5 Jun 11

Denial of service in GitLab CE/EE versions 12.10 through 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 allows un
CVE-2026-1500 MEDIUM POC
6.5 Jun 11

Uncontrolled resource consumption in GitLab CE/EE's file upload processing pipeline enables any authenticated user to tr

Share

EUVD-2026-36224 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy