CVE Catalog

CVE-2026-10712

HighCVSS 8.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile — higher than 13% of all known CVEs

Summary

A vulnerability in GitLab CE/EE allows an unauthenticated attacker to execute arbitrary JavaScript in a user's browser session due to improper path validation. Affects versions from 18.10 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1.

Risk Assessment

An attacker can hijack a user's session, steal data, or perform unauthorized actions in the victim's context, posing a serious threat to data confidentiality and integrity.

Recommendation

Immediately upgrade GitLab to version 18.11.6, 19.0.3, or 19.1.1 depending on your branch. No workarounds are available; upgrading is the only solution.

Original NVD description (English source)

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS