CVE-2025-4278

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 18.0 through 18.0.2

Description An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions, HTML injection in the new search page could lead to account takeover. The vulnerability allows remote attackers to inject malicious code, enabling account takeovers on instances with authenticated access.

Recommendations For GitLab CE/EE versions 18.0 through 18.0.2, update to a version newer than 18.0.2 to resolve the issue. As a temporary workaround, consider restricting access to the new search page until a patch is available. Avoid using the new search page in GitLab CE/EE versions 18.0 through 18.0.2 until the issue is resolved.