PT-2026-40872 · Gitlab · Gitlab Ce/Ee

Published

2026-05-14

·

Updated

2026-05-18

·

CVE-2026-6073

CVSS v3.1

8.7

High

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions GitLab EE versions 18.7 through 18.9.6 GitLab EE versions 18.10 through 18.10.5 GitLab EE versions 18.11 through 18.11.2
Description An issue exists where improper input sanitization allows an authenticated user to execute arbitrary JavaScript in other users' browsers. This Cross-Site Scripting (XSS) flaw—a vulnerability where malicious scripts are injected into otherwise trusted websites—can lead to session hijacking, page defacement, or redirection to harmful sites.
Recommendations Update versions 18.7 through 18.9.6 to 18.9.7. Update versions 18.10 through 18.10.5 to 18.10.6. Update versions 18.11 through 18.11.2 to 18.11.3.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-06916
BIT-GITLAB-2026-6073
CVE-2026-6073

Affected Products

Gitlab Ce/Ee