HIGHCVE-2026-2995Published 2026-03-25Modified 2026-03-26CNA GitLab

CVE-2026-2995: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content.

CVSS v3.1: 7.7
Severity: HIGH
Fixed in: 18.8.7
Affected Products: 1

Fix available

18.8.718.9.318.10.1

Affected packages

GitLab / GitLab
< 18.8.7 (from 15.4) · < 18.9.3 (from 18.9) · < 18.10.1 (from 18.10)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

References

HackerOne Bug Bounty Report #3564600
gitlab.com
about.gitlab.com

Metrics

Fix available