CVE-2026-2973
Cross-Site Scripting in GitLab Mermaid Diagram Rendering
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 18.9.0 (inc) to 18.9.3 (exc) |
| gitlab | gitlab | 18.10.0 |
| gitlab | gitlab | From 18.9.0 (inc) to 18.9.3 (exc) |
| gitlab | gitlab | 18.10.0 |
| gitlab | gitlab | From 17.7.0 (inc) to 18.8.7 (exc) |
| gitlab | gitlab | From 17.7.0 (inc) to 18.8.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab CE/EE affects versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1. It allows an authenticated user to execute arbitrary JavaScript in another user's browser. This happens because GitLab improperly sanitizes entity-encoded content in Mermaid diagrams, which can be exploited to inject malicious scripts.
How can this vulnerability impact me? :
The vulnerability can lead to cross-site scripting (XSS) attacks where an attacker can run arbitrary JavaScript in the context of another user's browser. This can result in unauthorized actions performed on behalf of the user, theft of sensitive information such as session tokens, or other malicious activities that compromise user security and privacy.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your GitLab CE/EE instance to a fixed version. Specifically, update to version 18.8.7 or later if you are using the 18.8 series, 18.9.3 or later if using the 18.9 series, or 18.10.1 or later if using the 18.10 series.
This vulnerability affects all versions from 17.7 before the fixed versions mentioned above and could allow an authenticated user to execute arbitrary JavaScript in a user's browser due to improper sanitization of entity-encoded content in Mermaid diagrams.