Input Sanitization Flaw in GitLab EE Affects Multiple Versions
CVE-2026-6073

8.7HIGH

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-6073?

GitLab’s EE has addressed a significant input sanitization issue that permitted authenticated users to potentially execute arbitrary JavaScript in the browsers of other users. This vulnerability affects various versions of GitLab EE, specifically from 18.7 versions prior to 18.9.7, 18.10 versions prior to 18.10.6, and 18.11 versions prior to 18.11.3. Proper input validation measures were lacking, which could allow malicious actors with authenticated access to exploit the flaw and manipulate user sessions, leading to possible unauthorized actions within the platform.

Affected Version(s)

GitLab 18.7 < 18.9.7

GitLab 18.10 < 18.10.6

GitLab 18.11 < 18.11.3

References

https://gitlab.com/gitlab-org/gitlab/-/work_items/596340

https://hackerone.com/reports/3655677

technical-descriptionexploitpermissions-required

https://about.gitlab.com/releases/2026/05/13/patch-releas...

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 10, 2026

Credit

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-6073 Data

JSON

Gitlab

What is CVE-2026-6073?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit