Arbitrary JavaScript Execution Vulnerability in GitLab EE
CVE-2026-4332

5.4MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-4332?

GitLab has identified a security concern in GitLab EE related to customizable analytics dashboards. An improper sanitization of user input could allow an authenticated user to execute arbitrary JavaScript in the context of another user's browser. This could lead to unauthorized actions within the application, posing risks to user data and application integrity. The issue has been addressed in subsequent releases, reinforcing the importance of proper input handling in web applications.

Affected Version(s)

GitLab 18.2 < 18.8.9

GitLab 18.9 < 18.9.5

GitLab 18.10 < 18.10.3

References

https://gitlab.com/gitlab-org/gitlab/-/work_items/593853

https://hackerone.com/reports/3600345

technical-descriptionexploitpermissions-required

https://about.gitlab.com/releases/2026/04/08/patch-releas...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 17, 2026

Credit

Thanks [go7f0](https://hackerone.com/go7f0) for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-4332 Data

JSON