Threat Advisory

GitLab Flaw Lets Attackers Inject Malicious Scripts via Developer-Level Access

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in GitLab Community Edition (CE) and Enterprise Edition (EE), urging users to upgrade immediately to mitigate potential risks. The latest patch versions 19.1.2, 19.0.4, and 18.11.7 were published on July 8, 2026.

CVE-2026-6896 (CVSS 8.7 — Severity): A high-severity cross-site scripting (XSS) vulnerability affects GitLab EE and could allow an authenticated attacker with developer-level access to inject malicious scripts into another user’s browser session.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in GitLab Community Edition (CE) and Enterprise Edition (EE), urging users to upgrade immediately to mitigate potential risks. The latest patch versions 19.1.2, 19.0.4, and 18.11.7 were published on July 8, 2026.

CVE-2026-6896 (CVSS 8.7 — Severity): A high-severity cross-site scripting (XSS) vulnerability affects GitLab EE and could allow an authenticated attacker with developer-level access to inject malicious scripts into another user’s browser session.[emaillocker id="1283"]

CVE-2026-13320: Another high-severity issue involves HTML injection in wiki markup rendering, impacting both CE and EE versions. It could enable attackers to execute arbitrary scripts in a victim’s browser under certain conditions.

CVE-2026-11827 (CVSS 5.3 — Severity): A medium-severity vulnerability affects repository mirroring in GitLab EE and could allow attackers with maintainer-level permissions to access stored credentials due to insufficient protection mechanisms.

CVE-2026-8472: A medium-severity issue involves improper access control in work items, potentially exposing metadata from private projects to unauthorized users.

CVE-2026-7492 (CVSS 4.3 — Severity): A missing-authorization flaw could allow unauthenticated users to infer the existence of private projects via references to commit discussions.

These vulnerabilities collectively present a significant threat in collaborative environments where shared content is frequently accessed.

RECOMMENDATION:

We recommend you to update GitLab to version 19.1.2, 19.0.4, or 18.11.7.

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu