PT-2026-40876 · Gitlab · Gitlab Ce/Ee+1

Published

2026-05-13

·

Updated

2026-05-18

·

CVE-2026-7377

CVSS v3.1

8.7

High

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions GitLab EE versions 18.7 through 18.9.6 GitLab EE versions 18.10 through 18.10.5 GitLab EE versions 18.11 through 18.11.2
Description An issue in customizable analytics dashboards allows an authenticated user to execute arbitrary JavaScript in the context of other users' browsers. This occurs due to improper input sanitization, leading to stored Cross-site Scripting (XSS), where malicious scripts are injected into the dashboard and executed when viewed by other users. Over 1.2 million instances are identified globally.
Recommendations Update versions 18.7 through 18.9.6 to 18.9.7. Update versions 18.10 through 18.10.5 to 18.10.6. Update versions 18.11 through 18.11.2 to 18.11.3.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-06813
BIT-GITLAB-2026-7377
CVE-2026-7377

Affected Products

Gitlab
Gitlab Ce/Ee