CVE-2026-10712
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.
In plain language
AI Worth attentionCVE-2026-10712 is a GitLab flaw where, under certain conditions, someone without an account could trick a user into running malicious JavaScript in their browser. If you use an affected GitLab version, you should update—this is a “do something now” issue for most small businesses.
CVE-2026-10712 is an unauthenticated Cross-site Scripting (CWE-79) in GitLab where improper input neutralization during web page generation can allow attacker-controlled JavaScript to execute in a victim’s browser session under certain conditions (requires user interaction, and depends on specific reachability/path conditions).
What to do now
- Check your GitLab version number and whether it falls in the ranges before 18.11.6, 19.0.3, or 19.1.1.
- Plan an upgrade of GitLab to one of the fixed versions: 18.11.6 or 19.0.3 or 19.1.1 (or newer on your branch).
- After upgrading, verify GitLab is running the upgraded version and that related web UI pages load normally.
- Review web/app logs for unusual errors or suspicious requests around the time of upgrade readiness, especially if users reported odd pop-ups or redirects.
CVSS Vector Breakdown
AV:NAttack VectorAC:HAttack ComplexityPR:NPrivileges RequiredUI:RUser InteractionS:CScopeC:HConfidentialityI:HIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
- ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and Moreen·The Hacker News·
- GitLab Patches Code Execution, Information Disclosure Vulnerabilitiesen-us·SecurityWeek· Summary only·
- GitLab Security Updates Fix 13 Flawsen-us·Daily CyberSecurity (securityonline.info)· Summary only·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-10712 and every CVE in our database. Create a free account — no credit card required.
Create Free Account