HIGHCVE-2026-7377Published 2026-05-14Modified 2026-05-15CNA GitLab

CVE-2026-7377: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization.

CVSS v3.1: 8.7
Severity: HIGH
Fixed in: 18.9.7
Affected Products: 1

Fix available

18.9.718.10.618.11.3

Affected packages

GitLab / GitLab
< 18.9.7 (from 18.7) · < 18.10.6 (from 18.10) · < 18.11.3 (from 18.11)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References

gitlab.com
HackerOne Bug Bounty Report #3659044
about.gitlab.com

Metrics

Fix available