What is the CVSS score of EUVD-2026-36226?

EUVD-2026-36226 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of GitLab EE are affected by EUVD-2026-36226?

GitLab Enterprise Edition versions 13.1.4 through 19.0.1 contain a stored cross-site scripting vulnerability that permits authenticated users with low privileges to inject malicious code and add…. A patch is available.

Is there a public PoC exploit available for EUVD-2026-36226?

Yes, a public proof-of-concept exploit is available for EUVD-2026-36226. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2026-36226?

Within 24 hours: Identify all GitLab EE instances and their current versions (affected: 13.1.4-18.10.7, 18.11 prior to 18.11.5, 19.0 prior to 19.0.2). Within 7 days: Apply patches to 18.10.8+, 18.11.5+, or 19.0.2+ and verify all systems are running patched versions. Within 30 days: Audit group settings for unauthorized email addresses and review access logs for exploitation attempts.

GitLab EE EUVD-2026-36226

| CVE-2026-8589 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-06-11 GitLab

GHSA-q9j8-24p8-jq8j

Gitlab XSS

8.7

CVSS 3.1 · NVD

Severity by source

Vendor (GitLab) PRIMARY

HIGH

qualitative

NVD

8.7 HIGH

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

vuln.today AI

8.7 HIGH

Network-reachable web UI (AV:N), low complexity (AC:L), requires an authenticated account able to edit group settings (PR:L), needs victim interaction (UI:R); payload executes in victim browser context yielding scope change and account takeover (S:C, C:H/I:H, A:N).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GitLab).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Updated

Jun 11, 2026 - 17:42 vuln.today

v3 (cvss_changed)

Analysis Updated

Jun 11, 2026 - 17:42 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 11, 2026 - 17:37 vuln.today

cvss_changed

CVSS changed

Jun 11, 2026 - 17:37 NVD

7.3 (HIGH) 8.7 (HIGH)

Patch available

Jun 11, 2026 - 13:01 EUVD

Analysis Generated

Jun 11, 2026 - 11:51 vuln.today

CVE Published

Jun 11, 2026 - 10:20 cve.org

HIGH 7.3

DescriptionNVD

GitLab has remediated an issue in GitLab EE affecting all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to add unauthorized email addresses to a targeted user's account due to improper sanitization of user-supplied input in certain group setting fields.

Articles & Coverage 2

News 5 New GitLab Vulnerabilities - 5 High Severity, 4 With POC Jun 12, 2026 News 4 New GitLab Vulnerabilities - 4 High Severity, All With POC Jun 11, 2026

AnalysisAI

Stored cross-site scripting and account integrity abuse in GitLab Enterprise Edition versions 13.1.4 through 18.10.7, 18.11 prior to 18.11.5, and 19.0 prior to 19.0.2 allows an authenticated low-privileged user to inject unsanitized input into certain group setting fields and add unauthorized email addresses to a targeted user's account. Publicly available exploit code exists via a HackerOne report, though EPSS exploitation probability remains very low at 0.02% and the SSVC framework rates current exploitation as 'none' with total technical impact when successful.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Authenticate to vulnerable GitLab EE

Delivery

Inject payload into group setting field

Exploit

Victim loads poisoned group page

Install

Payload executes in victim session

Unauthorized email added to victim account

Execute

Trigger password reset to attacker email

Impact

Take over victim account

Recon

Authenticate to vulnerable GitLab EE

Delivery

Inject payload into group setting field

Exploit

Victim loads poisoned group page

Install

Payload executes in victim session

Unauthorized email added to victim account

Execute

Trigger password reset to attacker email

Impact

Take over victim account

Vulnerability AssessmentAI

Exploitation	Attacker must (1) hold an authenticated GitLab EE account with sufficient privileges to modify the specific vulnerable group setting fields on a group the victim will visit, and (2) induce the targeted user to interact with the poisoned group context (UI:R in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are mixed: CVSS 3.1 base of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) reflects a high-impact, low-complexity network-reachable issue requiring some authentication and victim interaction with scope change, while EPSS is only 0.02% (5th percentile) and SSVC exploitation status is 'none' and automatable is 'no'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A low-privileged but authenticated GitLab user with permission to edit certain group settings injects a malicious payload into a vulnerable group setting field; when a targeted higher-privileged user interacts with the affected group page, the payload executes in their session and adds an attacker-controlled email address to their account, enabling subsequent password reset and full account takeover. Publicly available exploit code exists via HackerOne report 3722842, lowering the bar for any attacker who already holds a GitLab account on a vulnerable instance.
Remediation	Vendor-released patch: upgrade GitLab EE to 19.0.2, 18.11.5, or 18.10.8 (or later) depending on your release train, as announced in the GitLab patch release blog at https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all GitLab EE instances and their current versions (affected: 13.1.4-18.10.7, 18.11 prior to 18.11.5, 19.0 prior to 19.0.2). …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10087 HIGH This Week POC

8.7 Jun 11

Stored cross-site scripting in GitLab Enterprise Edition's Analytics Dashboard allows an authenticated developer-role us

CVE-2026-6552 HIGH This Week POC

8.7 Jun 11

Account takeover in GitLab Enterprise Edition versions 15.5 through 19.0.2 allows an authenticated group Owner to hijack

CVE-2026-7250 HIGH This Week POC

7.5 Jun 11

Denial of service in GitLab CE/EE versions 12.10 through 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 allows un

CVE-2026-1500 MEDIUM This Month POC

6.5 Jun 11

Uncontrolled resource consumption in GitLab CE/EE's file upload processing pipeline enables any authenticated user to tr

CVE-2026-6269 MEDIUM This Month POC

5.4 Jun 11

Incorrect authorization enforcement in GitLab CE/EE exposes hidden merge requests to unauthorized modification by authen

EUVD-2026-36226 vulnerability details – vuln.today

Back