CVE-2026-2995 HIGH

CVE-2026-2995: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab

Vendor Gitlab
Product GitLab
Weakness CWE-80 · XSS · basic
Published March 25, 2026
Last update March 26, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

GitLab has remediated an issue in GitLab EE affecting all versions from 15.4 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to add email addresses to targeted user accounts due to improper sanitization of HTML content.

Key dates

02Disclosure timeline

March 25, 2026 CVE published
March 26, 2026 Record updated