CVE-2026-3254
Cross-Site Scripting in GitLab Mermaid Sandbox Allows Content Injection
Publication date: 2026-04-22
Last updated on: 2026-04-23
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | 18.11.0 |
| gitlab | gitlab | 18.11.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1021 | The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab CE/EE versions from 18.11 before 18.11.1 involves improper input validation in the Mermaid sandbox feature. Under certain conditions, it could allow an authenticated user to load unauthorized content into another user's browser.
How can this vulnerability impact me? :
The vulnerability could allow an authenticated user to inject unauthorized content into another user's browser, potentially leading to information exposure or manipulation of the user's browsing experience. However, the CVSS score indicates a low severity with no confidentiality or availability impact, but a low impact on integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade GitLab CE/EE to version 18.11.1 or later, as the issue affecting versions from 18.11 before 18.11.1 has been remediated in that release.