CVE-2026-1090

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 10.6 through 18.7.5 GitLab CE/EE versions 18.8 through 18.8.5 GitLab CE/EE versions 18.9 through 18.9.1

Description GitLab CE/EE is affected by an issue that could allow an authenticated user to inject JavaScript into a browser. This occurs when the markdown placeholders feature flag is enabled due to improper sanitization of placeholder content during markdown processing. The issue affects versions from 10.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2. The vulnerability allows for the injection of JavaScript through the processing of markdown content. The vulnerable component is related to the handling of placeholder content within markdown.

Recommendations GitLab CE/EE versions 10.6 through 18.7.5 should be updated to version 18.7.6 or later. GitLab CE/EE versions 18.8 through 18.8.5 should be updated to version 18.8.6 or later. GitLab CE/EE versions 18.9 through 18.9.1 should be updated to version 18.9.2 or later.