JavaScript Execution Flaw in GitLab CE/EE by GitLab
CVE-2026-2973

5.4MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 25 March 2026

What is CVE-2026-2973?

A vulnerability exists in GitLab CE/EE, affecting versions from 17.7 prior to 18.8.7, 18.9 prior to 18.9.3, and 18.10 prior to 18.10.1. This flaw results from insufficient sanitization of entity-encoded content in Mermaid diagrams, allowing an authenticated user to execute arbitrary JavaScript in a victim's browser. This issue poses a serious threat to user security, potentially enabling attackers to steal sensitive information or manipulate user sessions.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

GitLab 17.7 < 18.8.7

GitLab 18.9 < 18.9.3

GitLab 18.10 < 18.10.1

References

https://hackerone.com/reports/3566802

technical-descriptionexploitpermissions-required

https://gitlab.com/gitlab-org/gitlab/-/work_items/591049

https://about.gitlab.com/releases/2026/03/25/patch-releas...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2026
Vulnerability Reserved
Feb 22, 2026

Credit

Thanks [go7f0](https://hackerone.com/go7f0) for reporting this vulnerability through our HackerOne bug bounty program

JSON

Gitlab