CVE-2026-5816
Cross-Site Scripting in GitLab CE/EE Allows Arbitrary JS Execution
Publication date: 2026-04-22
Last updated on: 2026-04-23
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 18.10.0 (inc) to 18.10.4 (exc) |
| gitlab | gitlab | From 18.10.0 (inc) to 18.10.4 (exc) |
| gitlab | gitlab | 18.11.0 |
| gitlab | gitlab | 18.11.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-41 | The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab CE/EE versions before 18.10.4 and 18.11.1 allows an unauthenticated user to execute arbitrary JavaScript in a user's browser session. This happens due to improper path validation under certain conditions.
How can this vulnerability impact me? :
The vulnerability can lead to arbitrary JavaScript execution in a user's browser session, which may result in compromised user data, session hijacking, or other malicious actions performed on behalf of the user.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade GitLab CE/EE to versions 18.10.4 or later if you are using the 18.10 series, or to version 18.11.1 or later if you are using the 18.11 series.