Arbitrary Script Execution Vulnerability in GitLab CE/EE
CVE-2026-13320

7.3HIGH

Key Information:

Vendor

Gitlab

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-13320?

An issue has been identified in GitLab CE/EE that impacts multiple versions, where an authenticated user could potentially execute arbitrary scripts in another user's browser session. This arose from an improper sanitization of user-supplied input, enabling the possibility for malicious activities under specific conditions. Remediation was carried out to mitigate this risk in the affected versions.

Affected Version(s)

GitLab 15.7 < 18.11.7

GitLab 19.0 < 19.0.4

GitLab 19.1 < 19.1.2

References

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thanks [youzslan](https://hackerone.com/youzslan) and [a_m_a_m](https://hackerone.com/a_m_a_m) for reporting this vulnerability through our HackerOne bug bounty program
.