Improper Input Validation in GitLab Affects User Browser Security
CVE-2026-3254

3.5LOW

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-3254?

GitLab has addressed a flaw in the GitLab CE/EE product where improper input validation in the Mermaid sandbox could allow an authenticated user to inject unauthorized content into another user's web browser. This vulnerability affects all versions of GitLab from 18.11 prior to 18.11.1, presenting potential risks in user session integrity and overall security. Users are advised to update their installations promptly to mitigate possible exploitation.

Affected Version(s)

GitLab 18.11 < 18.11.1

References

https://hackerone.com/reports/3572752

technical-descriptionexploitpermissions-required

https://gitlab.com/gitlab-org/gitlab/-/work_items/591587

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Feb 26, 2026

Credit

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-3254 Data

JSON