CVE-2025-11224 HIGH

CVE-2025-11224: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

Vendor Gitlab
Product GitLab
Weakness CWE-79 · XSS
Published January 14, 2026
Last update February 26, 2026
View on NVD All CVEs

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality.

Key dates

02Disclosure timeline

January 14, 2026 CVE published
February 26, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-66420 CVE-2024-56408 PhpSpreadsheet allows unauthorized reflected XSS in `Convert-Online.php` file CVE-2024-11201 myCred – Loyalty Points and Rewards plugin <= 2.7.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_send Shortcode CVE-2024-29797 WordPress Grid Shortcodes plugin <= 1.1 - Cross Site Scripting (XSS) vulnerability CVE-2021-34656 2Way VideoCalls and Random Chat - HTML5 Webcam Videochat <= 5.2.7 Reflected Cross-Site Scripting