HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10087Published Modified CNA GitLab

CVE-2026-10087: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code on behalf of a targeted user due to improper input sanitization in the Analytics Dashboard.

Metrics

CVSS v3.1
8.7
Severity
HIGH
Fixed in
18.10.8
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in GitLab EE affects all versions from 17.1 up to the fixed releases. The flaw is reachable over the network by any authenticated user holding at least developer-level permissions, and exploiting it requires the attacker to get a targeted user to view a crafted Analytics Dashboard page. Successful exploitation lets the attacker run arbitrary JavaScript in the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions performed as the victim. Patched-image rebuilds at versions 18.10.8, 18.11.5, and 19.0.2 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-10087 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built GitLab EE images. Coverage extends to any image layer that carries an affected GitLab EE package, regardless of how the image was assembled.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.7 (High) and weighting it against each customer environment's compliance policy to set appropriate urgency. Triage routing is available to direct the finding to the right team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at GitLab EE versions 18.10.8, 18.11.5, or 19.0.2 (matching the affected branch in use) becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard is capable of executing a rebuild, running a regression test suite, and opening a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the GitLab EE instance over the network; the vulnerable Analytics Dashboard endpoint is exposed via HTTP/HTTPS.

  • AuthenticationRequired

    Any account holding at least developer-role permissions is sufficient; no administrative access is needed.

  • Victim interactionRequired

    The targeted user must view a crafted Analytics Dashboard page, requiring the attacker to deliver a link or embed the payload where the victim will encounter it.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions or special environmental prerequisites beyond the attacker having developer-level access.

Blast Radius

  • The attacker executes arbitrary JavaScript inside the victim's active browser session, allowing session token theft and account takeover.
  • Actions available to the victim user (including API calls, repository writes, and settings changes) can be performed on their behalf without consent.
  • Confidential data visible to the victim, such as private repository contents, merge requests, and pipeline outputs, is readable by the attacker's injected script.

How HarborGuard Handles This

Available on HarborGuard: detection matches images carrying affected GitLab EE versions (17.1 through the patched releases) against the published advisory within minutes. For environments running an affected branch, patched-image rebuilds at 18.10.8, 18.11.5, or 19.0.2 are available as soon as the upstream packages are confirmed. For customers who opt into auto-remediation, HarborGuard can rebuild the image, execute a regression run, and open a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding is surfaced in the triage queue with CVSS score, affected image list, and fix-version guidance so engineering teams can act directly. As an interim compensating control, network-policy rules restricting access to the Analytics Dashboard endpoint to trusted internal subnets reduce attacker reach while a rebuild is staged.

See how HarborGuard automates this

Fix available

18.10.818.11.519.0.2
Affected packages
  • GitLab / GitLab
    < 18.10.8 (from 17.1) · < 18.11.5 (from 18.11) · < 19.0.2 (from 19.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
References