CVE-2026-4332
Received Received - Intake
Stored XSS in GitLab EE Analytics Dashboards Allows Arbitrary Script Execution

Publication date: 2026-04-08

Last updated on: 2026-04-16

Assigner: GitLab Inc.

Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbitrary JavaScript in the context of other users' browsers due to improper input sanitization.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-16
Generated
2026-05-07
AI Q&A
2026-04-09
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4332
EUVD
EUVD-2026-20800
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
gitlab gitlab From 18.9.0 (inc) to 18.9.5 (exc)
gitlab gitlab From 18.10.0 (inc) to 18.10.3 (exc)
gitlab gitlab From 18.2.0 (inc) to 18.8.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in GitLab EE affects customizable analytics dashboards in certain versions. It allows an authenticated user to execute arbitrary JavaScript code in the browsers of other users. This happens because of improper input sanitization, meaning that malicious scripts can be injected and run within other users' browser sessions.


How can this vulnerability impact me? :

The vulnerability can lead to cross-site scripting (XSS) attacks where an attacker can run malicious JavaScript in other users' browsers. This can result in unauthorized actions performed on behalf of those users, theft of sensitive information such as session tokens, or manipulation of the user interface, potentially compromising user data and trust.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade GitLab EE to a fixed version. Specifically, update to version 18.8.9 or later if you are on the 18.8 branch, 18.9.5 or later if on the 18.9 branch, or 18.10.3 or later if on the 18.10 branch.

This vulnerability affects customizable analytics dashboards where an authenticated user could execute arbitrary JavaScript in other users' browsers due to improper input sanitization. Applying the update will remediate this issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart