CVE-2026-10087

Published: Jun 11, 2026Modified: Jun 11, 2026

8.7

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Exploitability: 2.3 / Impact: 5.8

Source: cve@gitlab.com (Secondary)

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code on behalf of a targeted user due to improper input sanitization in the Analytics Dashboard.

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/

Source: cve@gitlab.com

https://gitlab.com/gitlab-org/gitlab/-/work_items/601633

Source: cve@gitlab.com

https://hackerone.com/reports/3759090

Source: cve@gitlab.com

Timeline

No history available yet.