CVE-2025-4439 HIGH

CVE-2025-4439: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

Vendor Gitlab
Product GitLab
Weakness CWE-79 · XSS
Published July 23, 2025
Last update February 26, 2026
View on NVD All CVEs

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an authenticated user to perform cross-site scripting attacks when the instance is served through certain content delivery networks.

Key dates

02Disclosure timeline

July 23, 2025 CVE published
February 26, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2019-25422 Comodo Dome Firewall 2.7.0 Cross-Site Scripting via vpnfw CVE-2025-62756 WordPress The Moneytizer plugin <= 10.0.9 - Cross Site Scripting (XSS) vulnerability CVE-2025-0350 Divi Carousel Lite <= 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Carousel and Logo Carousel Widgets CVE-2025-62082 WordPress Generic Elements plugin <= 1.2.9 - Cross Site Scripting (XSS) vulnerability CVE-2024-1157 Bold Page Builder <= 4.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button URL