HTML Injection Vulnerability in GitLab CE/EE by GitLab
CVE-2025-6186

5.4MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 13 August 2025

What is CVE-2025-6186?

An issue has been identified in GitLab CE/EE, affecting certain versions, where authenticated users can exploit a vulnerability to perform account takeover. By injecting malicious HTML into work item names, attackers can manipulate the application's behavior, possibly compromising user accounts and sensitive information.

Affected Version(s)

GitLab 18.1 < 18.1.4

GitLab 18.2 < 18.2.2

References

https://gitlab.com/gitlab-org/gitlab/-/issues/549844

issue-trackingpermissions-required

https://hackerone.com/reports/3189522

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 13, 2025
Vulnerability Reserved
Jun 16, 2025

Credit

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program