GitLab Vulnerabilities Trigger XSS in Analytics Dashboard

EXECUTIVE SUMMARY:

Multiple vulnerabilities have been found in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaws span cross-site scripting, insufficient output filtering, authorization bypass, improper input validation, and access-control weaknesses. Exploitable XSS bugs enable attackers to execute arbitrary client-side code, while inadequate filtering can expose confidential project data. Combined, these issues could lead to session hijacking, credential theft, unauthorized configuration changes, and leakage of sensitive secrets such as DAST site profiles or package metadata. The overall risk is elevated for organizations that host self-managed GitLab instances and rely on it for CI/CD pipelines and code storage.[emaillocker id="1283"]

CVE-2026-10086 with a CVSS score of 8.7 – A cross‑site scripting flaw in the Analytics dashboard of GitLab EE that allows an authenticated developer to inject malicious JavaScript into other users’ sessions, enabling session hijacking or credential theft.

CVE-2026-10712 with a CVSS score of 7.1 – An XSS vulnerability in the Web IDE workbench asset handler that can be triggered by unauthenticated attackers to run arbitrary JavaScript in the browsers of any visiting user, facilitating drive‑by attacks.

CVE-2026-12053 with a CVSS score of 8.6 – Insufficient output filtering in Duo Workflows that may expose sensitive project information to users who should not have access, potentially leaking credentials or configuration data.

RECOMMENDATION:

• We recommend you to update GitLab CE/EE to version 19.1.1, 19.0.3 or 18.11.6 or later.

REFERENCES:

The following reports contain further technical details:
https://www.securityweek.com/gitlab-patches-code-execution-information-disclosure-vulnerabilities/