CVE-2025-7734 HIGH

CVE-2025-7734: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

Vendor Gitlab

Product GitLab

Weakness CWE-79 · XSS

Published August 13, 2025

Last update August 13, 2025

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

An issue has been discovered in GitLab CE/EE affecting all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.

Key dates

02Disclosure timeline

August 13, 2025 CVE published

August 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-7734

Related vulnerabilities

04Related CVE

CVE-2025-53982 WordPress JetElements For Elementor plugin <= 2.7.7 - Cross Site Scripting (XSS) Vulnerability CVE-2023-4507 Admission AppManager <= 1.0.0 - Reflected Cross-Site Scripting CVE-2025-26575 WordPress Display Post Meta plugin <= 1.5- Cross Site Scripting (XSS) vulnerability CVE-2025-14127 Testimonial Master <= 0.2.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] CVE-2024-3988 Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Sina Fancy Text Widget

Identifiers

CVE CVE-2025-7734

CWE CWE-79

CVSS 8.7 / HIGH

Affected versions

Vendor Gitlab

Product GitLab

Affected ≥ 14.2 and < 18.0.6

Vendor Gitlab

Product GitLab

Affected ≥ 18.1 and < 18.1.4

Vendor Gitlab

Product GitLab

Affected ≥ 18.2 and < 18.2.2